Ransomware, Privacy

LockBit may have stolen 24 years of data on Canadian government employees

Canadian flag waving with Parliament Buildings hill and Library in the background

A data breach affecting Canadian government, military and police employees may involve 24 years’ worth of personal and financial information, officials announced Friday. The Treasury Board of Canada Secretariat released a statement warning anyone who used relocation services from government contractors BGRS or SIRVA Canada since 1999 that their data could have been compromised. Meanwhile, ransomware gang LockBit has claimed responsibility for the attack.

The BGRS/SIRVA breach was first made public by government officials on Oct. 20 in a notice to military and civilian personnel, which contained little information about the attack’s scope. The notice came after relocation services were interrupted and BGRS’s website went offline on Sept. 29, according to CBC. Officials now say information from current and former government of Canada, Canadian Armed Forces (CAF) and Royal Canadian Mounted Police (RCMP) personnel was likely involved in the breach.

“At this time, given the significant volume of data being assessed, we cannot yet identify specific individuals impacted,” the Treasury Board said Friday. “However, preliminary information indicates that breached information could belong to anyone who has used relocation services as early as 1999 and may include any financial information that employees provided to the companies.”

The incident was also reported to the Canadian Centre for Cyber Security, the Office of the Privacy Commissioner and the RCMP. The government is working with BGRS and SILVA to investigate the incident and to ensure that vulnerabilities exploited in the attack have been addressed. A Treasury Board of Canada Secretariat spokesperson told SC Media on Monday they had no further details to provide, but that information will continue to be shared as it becomes available.

LockBit claims it stole 1.5 TB of data from Canadian government

Ransomware gang LockBit claimed responsibility for the attack on its dark web leak site on Oct. 17, according to a screenshot published by BleepingComputer. The group alleges it stole more than 1.5 TB of documents and “3 full backups of CRM” from SIRVA’s Europe, North America and Australia branches. As of Nov. 20, LockBit’s site stated the group published “all available data.” Government officials did not confirm the identity of the perpetrator or exact volume of data stolen in public statements.

The Canadian government has used BGRS’s services since 1995 and the contractor facilitates more than 14,000 relocations of CAF members per year, according to an overview on BGRS’s website. The government has also contracted with SIRVA Canada since at least 2009, government records show. SIRVA and BGRS merged in August 2022. SC Media reached out to SIRVA for comment on Monday but received no response.

DomainTools VP of Research and Data Sean McNee told SC Media the breach highlights the challenges of securing information provided to third-party companies.

“The modern interconnected supply chain within which large enterprises and governments operate creates opportunities for persistent threat actors, such as LockBit, to operate,” McNee said. “This is true regardless of how well-designed or implemented these networks are — their required complexity unfortunately invites unwanted attention.”

The government is offering services to all current and former employees of the government, CAF and RCMP who relocated with BGRS or SIRVA Canada over the last 24 years, including credit monitoring and reissuing of passports. Officials also urged those potentially affected to update their login credentials, enable multi-factor authentication and monitor their online accounts for unusual activity.

McNee concurred with the government’s advice, adding that the age of the data calls for some additional precautions.

“We also suggest citizens consider changing the answers to any security or account recovery questions they have to critical online accounts, as the ‘correct’ answers to such questions, like, ‘What street did you live on in 2005?,’ could be contained in the leaked information,” said McNee.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.