A devastating third party data breach may have exposed some highly sensitive information involving Canada’s military and police, and hundreds of thousands of government employees may have had sensitive personal and financial information exposed as well.
Some of the details are still up in the air, but the Canadian government has confirmed a serious breach of two relocation services contractors after a public claim of an attack by LockBit. The hacking group has since said that negotiations have failed and has dumped stolen files to the dark web, something that potentially exposes the country’s troop deployments dating as far back as 1999.
Files thought to be highly secure again exposed by a third party data breach
LockBit says that it stole (and has subsequently dumped) 1.5 TB of files stolen from two government relocation services contractors: Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services. The two companies agreed to a merger in August of last year, but it remains unclear to what extent BGRS was exposed as LockBit only mentioned SIRVA in its dark web portal postings.
The Canadian government does not yet have an estimated impact assessment or count of the number of victims, but it is already offering credit monitoring services and passport re-issuance to government employees that could possibly have had data exposed. In addition to the military and the Royal Canadian Mounted Police, the relocation services have been used by a broad range of government agencies for some time. BGRS has been a government contractor since 1999, and SIRVA has been one since at least 2009.
The incident continues a general trend of ransomware groups opting to not bother with the ransomware when they steal data that is juicy enough, and a personal trend for LockBit of third party data breaches of organizations that are usually thought to be secure. LockBit also apparently held to its newly announced policy of offering no more than a 50% discount on its extortion attempts, claiming that it started at $15 million and went down to $7.5 million before a $1 million counter-offer caused it to cut off negotiations.
Third party data breaches remain difficult to address, with the originating companies having little control over vendor security beyond whatever might be mandated in contracts.
Government employees may have had identification and financial information exposed
The government issued a prior notification of the BGRS breach in late October, which was only recently updated to include SIRVA after the firm was named by LockBit in its dark web postings. At least one breach apparently happened in September, and LockBit says that it was in negotiations from October 6 to 19.
It is impossible to say exactly how many government employees are impacted at this point, but the BGRS website indicates that it handles relocations for about 20,000 per year pushing the maximum to about half a million people if those numbers are accurate.
Another point that has yet to be clarified is exactly how BGRS was originally breached. It is entirely possible that this was a third party data breach of a third party, as the company’s website has also said that it has some 8,000 vendors of its own.