The personal information of approximately 40,000 people connected to Saskatchewan's Liquor and Gaming Authority (SLGA) was compromised during a 2021 Christmas Day cybersecurity attack, according to the province's information and privacy commissioner's report on the incident.
"The number of affected individuals could have been much smaller had SLGA not retained personal information indefinitely," Ronald Kruzeniski, Saskatchewan's information and privacy commissioner, wrote.
The commissioner recommended in his report that SLGA should implement policies and procedures to ensure it isn't holding personal information of former employees and former clients unnecessarily.
Earlier this year, a person using the name "Jacob Walmart" who said they were a member of the organization that attacked the SLGA previously told CBC that they had 1.5 terabytes of the Crown corporation's confidential data. The hacking organization wanted ransom in return for the stolen information.
Following that phone call, someone using the name Dr. Clement Goyette provided an "evidence pack" of files containing more than 500 megabytes of what appear to be internal SLGA documents.
The pack included bank records, budgets, contracts, employee data and supplier agreements.
There were also a small number of credit card authorization forms for SLGA suppliers, which included credit card numbers, expiry dates and security codes.
Lack of communication to SLGA business partners
Both current and former employees were informed of the cybersecurity attack in mid-January 2022. The letter included a description of the attack, the personal information involved, what the SLGA was doing, an offer of credit monitoring and advice on how to protect themselves.
Adult dependents of current and former employees also received this letter.
On March 22, SLGA posted on its website warning gaming registrants and liquor and cannabis permit applicants that some of their data may have been breached. SLGA warned that some health,financial, criminal and personal information may have fallen into the wrong hands.
The privacy breach affected regulatory clients who had not been in contact with the SLGA in the past five years.
On April 11, almost three months after the Crown corporation became aware of the attack, the SLGA sent out its first direct message to business partners via email, alerting them that their credit card data may have been stolen.
In its recent report on the breach, the commissioner's office recommends government institutions inform affected individuals of privacy breaches, regardless of whether there is a real risk of significant harm.
"Notification to individuals affected by the privacy breach should occur as soon as possible after key facts about the breach have been established," Kruzeniski wrote.
On June 28, the SLGA sent out letters to about 15,000 regulatory clients in Canada with an offer of two years of credit monitoring, advice on how they can protect themselves and what the SLGA is doing to prevent future breaches.
The letter was only sent to SLGA clients who had been in contact in the past five years because of uncertainties about contact information. A similar message was posted on SLGA's website and circulated in a media release.
The commissioner recommends that the Crown corporation provide a minimum five years of credit monitoring to all people affected by the hacking attack and post details to its website about how to request a copy of the information lost in the attack.
Avoiding future attacks
The SLGA's content management system posted a security bulletin on Oct. 8, 2021, describing the Crown corporation's vulnerability and the solution, according to the commissioners report.
The attackers initially entered the IT environment in November 2021, but SLGA only became aware when it received a ransom demand for the information stolen.
The commissioner recommends that SLGA receive email notifications from the vendor of its content management system and assess the effectiveness of its ongoing monitoring processes frequently.