Hacking group Black Basta claimed responsibility for a cyberattack on the Yellow Pages on Saturday. Copies of passports, RAMQ cards, account statements and driver’s licenses: La Presse found samples of stolen confidential information on the dark web, including from Quebecers.
This alleged cyberattack follows a classic ransomware modus operandi, i.e. the gang unveiled samples of the stolen data online on its dark web blog to pressure the targeted company.
In this case, it’s the Yellow Pages, the directory that brings together the information of thousands of Canadian businesses and consumers.
The extent of the information leak is not known.
At the time of publication, the Yellow Pages had not responded to the request emailed by La Presse. On Saturday, a call to the Yellow Pages customer service number ended with the message: “communication could not be established.” The general company number automatically hung up.
At the beginning of April, the Canada 411 website had been inaccessible for a few days, La Presse had seen. Le Journal de Montreal, in an article published on April 7, attributed the outages to a ransomware cyberattack, according to a source familiar with the matter.
“During these hacks, there is a lot of personal information that is exfiltrated. These are trading techniques, because not all the information is published, just a small sample, explains Karim Ganame, head of cybersecurity at Streamscan. The goal is to increase the pressure on the victim. And if nothing is done, all the information will be exfiltrated. »
On the dark web, Black Basta posted samples of very sensitive information about several people, including Quebecers. It includes copies of Canadian passports, Quebec and British Columbia driver’s licenses, Régie de l’assurance maladie du Québec (RAMQ) cards, and a tax return containing the number individual’s social insurance.
According to our information, some of this data could be linked to employees or former employees of the company. The Yellow Pages employ approximately 700 people nationwide.
The names of a few companies, anonymized statements of account, and the sales contract of an Ontario company are also disclosed.
Copies of a series of restaurant bills located at the same address as the Yellow Pages in Montreal, rue Richardson, have also been made public.
“What is surprising is that this type of data is not adequately protected,” said Mr. Ganame. In terms of data protection, companies [in Canada] are quite behind, he adds. We collect the data, we store it on the systems, but we put in place very few measures to [protect it]. »
We were able to get in touch with a person whose data was leaked. She preferred not to speak publicly until she secured her information. She confirmed to us that she had not been notified by the Yellow Pages of the situation.
On Friday evening, the cyberattack monitoring group BetterCyber alerted on Twitter to this attack claimed by Black Basta.
«
Although directly challenged on Twitter, Yellow Pages (the Yellow Pages) did not respond publicly on the social network on Saturday.
“Getting hacked is taboo in general, but it’s not something exceptional,” notes Mr. Ganame. However, a company well prepared for this type of attack would, he said, have a plan to notify those affected by the information leak.
“By default, the Yellow Pages should assume that all internal data has been affected,” adds the expert. People at risk should be alerted, as should the Commission d’accès à l’information.
Companies have not yet grasped the magnitude of the threats posed by cyberattacks, Mr. Ganame also laments. “They need to act, they need to see the threat is there, and they have a vested interest in deploying the right tools. »
Black Basta is an active ransomware gang. On April 20, London-based business services giant Capita confirmed it had been the victim of a cyberattack by them, according to Bleeping Computer. About 4% of Capita’s server infrastructure was reportedly affected.
It was also Black Basta who, in November 2022, attacked the Empire group, which notably operates IGA supermarkets.
Law 25 on cybersecurity, passed last September, should ultimately better protect citizens in cases of hacking like this. But all is not won, according to cybersecurity expert Steve Waterhouse. The alleged cyberattack on the Yellow Pages “is a typical case to study the full scope of information leaks and agency accountability,” he said. “If I make a comparison with Europe, there they have an obligation to report within 72 hours such an incident. Here it is as soon as possible. It is a great distinction. »
“This is another fine example of security by obscurity-outdated way of doing things that no longer has a place in 2023 and beyond,” Mr. Waterhouse also wrote on Twitter. Transparency is key, because once the data has leaked, it cannot be recovered. »
