Cyber crime expert calls for transparency after attack
Public authority that relies on tax dollars should be more transparent, he says
TransLink is continuing to “bungle” its response to the ransomware attack it suffered earlier this year by failing to communicate to the public about what exactly happened and how it is handling the incident.
That is the take of Dominic Vogel, a local cyber crime specialist and the head of CyberSC, and he is not alone in advocating for businesses and agencies to be more transparent about ransomware and other attacks. He says greater transparency can help companies bounce back while also helping vulnerable small businesses prepare for cyber attacks.
“In the immediate aftermath when this happened … TransLink was not very transparent at all,” Vogel said. “You look at any data breach playbook in terms of how to do PR, TransLink bungled that, in my opinion.”
TransLink issued an alert Dec. 1 on Twitter about “an issue” affecting its IT systems. It later called it “suspicious network activity” and said it was working with law enforcement. On Dec. 3, TransLink CEO Kevin Desmond issued a statement that confirmed it was hit by a ransomware attack. Desmond offered few specifics, but did say that TransLink intended the statement to, in part, alert other organizations about the danger.
On Tuesday, TransLink defended its response in a written statement to Postmedia.
“TransLink proactively disclosed suspicious activity on our network and the associated customer impacts within hours of this incident occurring,” said Ben Murphy, a spokesman for the transit authority.
Murphy said TransLink has kept customers informed of any impacts throughout, and said it has been providing comment “the best that we are able, given that an active investigation is still ongoing.” He said the organization is working with third-party experts to safely restore its systems, and said that will take weeks. But Murphy would not respond to specific questions about the attack or TransLink's interactions with those who committed it, again citing the ongoing investigation.
Vogel said that level of transparency from a public organization, and particularly one that relies on tax dollars, is simply not enough, and it can work to erode trust. He said there may be other things going on behind the scenes.
“I'd imagine there's still some systems which are being locked down by ransomware and they are trying furiously to recover those systems while simultaneously trying to negotiate with the cyber criminals on some type of ransom,” Vogel said.
“That's generally what happens when these things stretch out into weeks. It's because they're trying to fight the fight on two fronts.”
Vogel called for TransLink to share what it has learned. Information on technical vulnerabilities, risks and responses could help smaller businesses in the province bolster their risk prevention efforts and help build cyber resilience.
“So many of them are just getting slammed by ransomware. Furthermore, many of them are just paying the ransom. They don't have the IT teams, they don't have the capabilities to be able to recover,” Vogel said.
Chase Norlin, the CEO of U.S.based cybersecurity company Transmosis, said transparency is key. The quicker and faster an organization discloses it has been breached, the better, regardless of the size of the organization.
While TransLink has not provided many details, it is among the minority of organizations that do proactively disclose that they have been targeted by an attack.
In previous years, larger companies were the primary targets of cyber crime, Norlin said. Now organized criminals are favouring small and micro businesses as targets. Once hit, many of those businesses are being forced to shutter due to crushing ransom demands and damage to their reputations.
“It's the little guy that's in big, big trouble,” Norlin said.
He recommended such businesses invest in cyber defences and avoid mistakenly thinking basic antivirus software or firewalls will protect them.