vdvtut - stock.adobe.com
Canada’s Mounties among government employees hit by LockBit
A LockBit attack on a specialist supplier of relocation services has engulfed multiple government agencies in Canada
The Canadian government in Ottawa has disclosed a major cyber incident affecting the personal data of thousands of public sector workers – including officers of the world-famous Royal Canadian Mounted Police (RCMP), the Mounties – in a LockBit ransomware attack.
The cyber attack appears to have unfolded at the end of September 2023, hitting two specialist suppliers of personnel relocation services that work with the Canadian government – Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services, which are in the process of merging.
Rumours of an incident had supposedly been common knowledge within the Canadian armed forces for some time, with military sources telling Canadian public broadcaster CBC over a month ago that the BGRS online portal was down and that they had been told to take precautionary measures.
LockBit’s involvement, confirmed via a posting to the cartel’s dark web leak site in which the operation claimed to have stolen 1.5TB of documents and revealed negotiations with SIRVA had failed, was first reported by Bleeping Computer.
In a statement, the Treasury Board of Canada secretariat said: “On October 19 2023, Brookfield Global Relocation Services (BGRS) informed the Government of Canada of a breach involving Government of Canada information held by BGRS and SIRVA Canada systems….
“Upon learning about this incident, the government took immediate action to investigate the breach, which involves information held by the companies about current and former Government of Canada employees, members of the Canadian Armed Forces and Royal Canadian Mounted Police personnel. This incident was also reported to the Canadian Centre for Cyber Security, the Office of the Privacy Commissioner, and the Royal Canadian Mounted Police.”
The secretariat said: “At this time, given the significant volume of data being assessed, we cannot yet identify specific individuals impacted; however, preliminary information indicates that breached information could belong to anyone who has used relocation services as early as 1999 and may include any personal and financial information that employees provided to the companies.
“The government of Canada is not waiting for the outcomes of this analysis and is taking a proactive, precautionary approach to support those potentially affected.
“Services such as credit monitoring or reissuing valid passports that may have been compromised will be provided to current and former members of the public service, RCMP, and the Canadian Armed Forces who have relocated with BGRS or SIRVA Canada during the last 24 years. Additional details about the services that will be offered, and how to access them, will be provided as soon as possible.”
Read more about LockBit
- Royal Mail has spent approximately £10m on recovery and improved cyber resilience measures in the wake of the January 2023 LockBit ransomware attack.
- The Financial Services Information Sharing and Analysis Center has warned that LockBit ransomware actors are exploiting CVE-2023-4966, also known as Citrix Bleed.
- Boeing has confirmed it experienced a cyber security incident following LockBit’s claims, but the aircraft manufacturer has not directly confirmed a ransomware attack.
The Canadian government is urging current and former employees who may be at risk to update any login credentials that may be similar to those used with BGRS or SIRVA to enable multifactor authentication on any accounts used for online transactions and to monitor online accounts for unusual activity.
One of the world’s largest household removal services providers, SIRVA operates in over 170 countries through various brands, with its UK and European moving operations run under the Allied brand, which is also known as Allied Van Lines.
The organisation has not spoken about the LockBit incident specifically, but given that high-value real estate transactions are frequently targeted by cyber criminals, provides its own advice and guidance to users of its services on how to protect themselves.
EasyDMARC CEO and co-founder Gerasim Hovhannisyan commented: “The Canadian government’s statement highlights that confidential data can be vulnerable regardless of how security-conscious an organisation or government is. The important consideration now is informing those impacted how to avoid opportunistic attacks stemming from these events.
“Public sector cyber resilience has barely been out of the headlines in recent months. The bottom line is that similar attacks are likely to continue unless governments worldwide prioritise a security framework that seriously incorporates the growing risks of supply chain attacks.
“By doing so and encouraging the same proactivity from their partners, governments will be in a much-improved position to protect the data of their employees and citizens,” added Hovhannisyan.