The Office of the Information and Privacy Commissioner of Ontario (IPC) has concluded its review of a privacy breach that occurred almost a year ago in Durham Region. The breach was traced to the region’s use of Accellion File Transfer Appliance (FTA) software, a product that has been linked to breaches in organizations around the world as part of a massive spree of cyberattacks.
Developed by American technology company Accellion Inc. (now known as Kiteworks), Accellion FTA is a 20-year-old legacy product used for large file transfers. As of April 30, 2021, the company no longer provides support for the software.
Although the cyberattack is believed to have occurred on or around January 20, 2021, the region only became aware of it on March 25, 2021, when it received a ransom notification. The region took immediate steps to secure its systems and notify police of the breach.
The region sent notices to individuals whose personal information and personal health information was potentially affected by the breach and posted information about the cyberattack on its website. It also set up a dedicated call centre for inquiries from the public about the incident and offered free credit monitoring services to individuals whose financial information may have been affected by the breach.
The cyberattack involved the exploitation of a previously unknown vulnerability (a zero-day attack). The region is no longer using the software and has taken proactive steps to protect against future cyberattacks. These include cybersecurity training for staff using simulated phishing attacks, real-time scans of devices and services, user account protections, and regular backups of electronic records.
Older technology that uses outdated designs and components can provide an open door for cybercriminals to gain access to sensitive data. While moving from legacy systems to new systems may pose financial and/or operational challenges for organizations, it is important to keep up with evolving technology in order to take advantage of the latest security features. This incident also serves to highlight the importance of monitoring computer networks for abnormal activity, often the first sign of large-scale data theft.
Hackers are taking full advantage of the current public health crisis, and computer security incidents are on the rise. The Communication Security Establishment’s Canadian Centre for Cybersecurity (CCCS) estimates that ransomware attacks increased 151 percent in the first six months of 2021, compared to 2020. According to the centre, ransomware will continue to target not only large enterprises and critical infrastructure providers, but many small and medium sized enterprises as well, based on what the attacker assumes is their ability to pay and the vulnerability of their security protection measures.
Data theft is a growing problem that can harm both individuals and organizations, increasing the risk of identity theft, economic loss, and reputational damage. Municipalities and other government organizations are particularly attractive targets to attackers as their systems are storehouses of sensitive information used to provide a range of vital services to communities.
“Cyberattacks are on a sharp rise and that trend will continue for the foreseeable future. Public organizations must ensure their systems and software are up to date and train their employees to watch for, and recognize, cyber threats and vulnerabilities,” said Patricia Kosseim, Information and Privacy Commissioner of Ontario. “Cybercriminals are always on the lookout for their next exploit, whether it’s an employee they can lure with a fraudulent phishing email or an outdated technology or process that puts information at risk. Public organizations are entrusted with the sensitive information of citizens and they cannot afford to let their guard down for one minute.”
- Protecting against ransomware
- Protect against phishing
- Identity theft: A crime of opportunity
- Working from home during the COVID-19 pandemic
- Don’t get caught! Protect yourself against phishing (Info Matters podcast)
- Managing privacy breaches
- Responding to a privacy breach: Guidelines for the health sector
- Ensuring your privacy is protected
This post is also available in: French