More than 300 individuals, 200 businesses affected
Internal provincial government documents posted online after last week’s ransomware attack contain confidential information of more than 500 clients who took part in the Agri-Stability program in recent years.
The internal documents were posted on the website of a cybercriminal group, which has claimed responsibility for the P.E.I. ransomware attack.
The group has also carried out similar ransomware attacks focused on other businesses and municipalities throughout North America. The documents contain the social insurance numbers and names of 339 individuals, as well as the business numbers and names of 218 corporations who have received assistance from Agri-Stability. The insurance program protects farmers from unexpected losses.
Provincial officials appear to have first learned about the data breach after being contacted by The Guardian on Monday.
The ransomware attack also resulted in several government departments being locked out of their computer system due to encryption.
Ransomware is a form of malware that attempts to extort a sum of money from the victim in exchange for restoring access to the system.
Maze, the group that posted the stolen documents online, has claimed to have a further 200 GB of internal files that it plans to publish.
Jeffrey Thomson, a senior RCMP intelligence analyst with the Canadian Fraud Centre, said the affected individuals should be aware of the dangers of identify fraud.
“It is a concerning issue. A SIN number is the key piece of information that allows criminals to carry out identity fraud,” Thomson said.
Thomson said that other information, including dates of birth, addresses and phone numbers, are required in addition to SIN numbers in order to compromise accounts or to carry out more serious forms of identity theft.
“Those are the key pieces of information to obtain credit.”
David Malamed, a forensic investigator with Cooper, Green and Warren, said the danger may not simply be that the SIN numbers of individuals are publicly available.
“In terms of just having those two pieces of ID, a person’s name and their social insurance number, it’s limited the damage that can be done. You do need someone’s address, date of birth,” Malamed said.
“What is possible to be done is clustering.”
Malamed said clustering involves criminals finding other pieces of information about individuals, such as one’s mother’s maiden name, date of birth or address, that are posted on social media may give fraudsters what they are looking for.
“I can start to cluster and confirm together information from different sources. Then it suddenly does become quite a weapon,” Malamed said.