A “ransomware” attack has hit a Toronto company that resells sensitive personal and business data collected by the Ontario government.
Pay up or we will not return access, the attackers told ESC Corporate Services on Oct. 25.
No payment has been made and the company was locked out of its system for more than a week. The ESC system interfaces with the Government of Ontario records portal. If you have ever incorporated a company or leased a car, that is the data at issue, the Star has found.
“The request was for a payment in exchange for keys to decrypt encrypted files,” said ESC spokesman Shea Haverstock, who confirmed the attack to the Star. He said ESC is conducting a “forensic” analysis and has not contacted police.
A provincial government spokesperson said the province is aware of the attack and is monitoring the situation. In the wake of what happened to ESC, the government services ministry is working on “enhancing its current cybersecurity practices.”
During the reporting of this story, ESC posted a note on its website saying the “outage” it was dealing with had been resolved. No details were provided as to what happened.
Both the province and ESC said they do not believe the data was compromised, but did not explain to the Star how this was determined.
At risk in the attack were the millions of bits of data related to individuals and businesses that the Ontario government collects. The province licenses ESC and two other companies to resell the information to law firms, banks and other institutions, and the public at a profit. The terms of contracts are not made public but these companies sell access to such things as corporate and lien searches for roughly $100 per search.
Among the information resold and subject of this attack were corporation records, including names and home addresses of directors, and the registration of liens for automobile, boat and equipment leases. In addition to the search services the three companies provide, consumers and business owners use the portals to register new information and updates, which the licensed companies input into the government’s system.
Since the information is available for a fee it is not technically private data, although having access to the information in bulk — for example, names and addresses of all company board members or leaseholder and financial details on cars and trucks — would be attractive to hackers who could use it to mount other attacks.
Here’s what happened:
At 4 a.m. on Oct. 25, the ESC web portal went down. When the business day began, thousands of customers and institutions, many of them law firms, that use ESC on a daily basis were suddenly unable to access any information.
At the ESC head offices at King and Yonge Sts. in Toronto, top executives huddled. A security expert was called in and determined that a “malware” program had been uploaded into their system. Malware programs are created by hackers and typically disable computer systems infected by the program.
“We experienced a malware incident, as many companies do,” said Haverstock. He said the malware “was designed to encrypt files for the purposes of a ransom request.” He would not reveal the amount of money required or how it was to be paid.
Ransomware attacks frequently come with a request to pay in bitcoin, security experts have told the Star.
With its system inoperable, ESC posted a note on its website saying the company had a “systems outage,” but not revealing why. Haverstock said his company briefed “institutional” customers, but he would not share those briefings.
He said ESC has hired “third-party experts” to look into what happened and to rebuild the hacked system.
Haverstock also said ESC has “no reason to believe that any data was compromised,” and that the “incident affected ESC’s eService platform” and not individual records.
He said that ESC is not the “custodian” of the data it sells and, “as such, none of those records could be affected.”
The ESC system came back online on Friday afternoon with a “welcome back” notice posted on its website. A note from the new company president, Clare Colledge made no reference to a ransomware attack. It described the incident as an “system outage,” apologized to customers and offered them the option of switching to a new “cloud-based” platform that had been used during the outage.
The two other Ontario companies licensed to provide the search services, Cyberbahn and Oncorp Direct, were not hit by the attack. Sources with knowledge of those companies said they have experienced an increase in business since ESC’s search function went down.
Despite the widespread effect on businesses, the provincial government did not publicized the problem.
Harry Malhi, a spokesperson for the Ministry of Government and Consumer Services, said in an email that a preliminary analysis provided to the ministry by ESC “indicates that there was no security risk related to services the ministry offers.”
Asked Friday afternoon whether the government had confirmed that analysis independently, Malhi referred the Star back to ESC.
Sources within the industry have told the Star that provincial bureaucrats have for several years been working on a plan to bring the management and sale of all of this data back in-house, where it was kept before the province outsourced it two decades ago.
“At this time we have not reported the incident to police,” Haverstock said. “We will assess the need to report once we have received the results of the forensic assessment.”
Kevin Donovan can be reached at (416) 312-3503 or email@example.com. Follow him on twitter @_kevindonovan