(980 CJME file photo)

By Lisa Schick/CKOM News Staff

SLGA hack in late 2021 caused by vulnera

SLGA hack in late 2021 caused by vulnerability that was left open

Nov 23, 2022 | 2:30 PM

The information for about 40,000 people was compromised during a successful hack of the Saskatchewan Liquor and Gaming Authority (SLGA) systems late last year, according to a new report from the Saskatchewan Information and Privacy Commissioner.

The commissioner, Ronald J. Kruzeniski, found the hack and subsequent privacy breach was caused by the SLGA not patching a vulnerability quickly enough, it not noticing the system had been breached, and the authority retaining an unnecessary amount of personal information.

The SLGA found out about the breach on Christmas Day last year when an IT employee tried to perform some tasks. That’s also when it got the ransom demand from the hackers and shut down its own system.

But it was actually in November that hackers first got access to the system and began going through and copying files.

According to Kruzeniski’s report, the problem was a critical vulnerability in the software of the content management system platform it uses to maintain its website. The “remote code execution vulnerability” allowed attackers to get into the SLGA IT environment through the internet without an authentication.

Raiders AGM

Raiders impact on Prince Albert local economy continues to go up: AGM report

27m ago

Court proceedings

'The impact of this trauma will echo for generations': court case surrounding La Ronge woman's death reaches conclusion

23h ago

Going Global

P.A.'s Zablocki named to Team Canada for U18 Women's World Championships

Dec 11, 2024

The SLGA defended itself, telling the commissioner’s office the software vendor didn’t tell it about the vulnerability, so it didn’t know there was something that needed to be fixed until it was too late.

However, in his report, the commissioner notes the vendor put a notice about the problem and a fix on its website in early October.

The minister responsible for the SLGA said they would not pay the hackers and after March 22 of this year, the SLGA later determined personal information that was stolen was released to the dark web.

The SLGA first notified the public about the breach on Dec. 28 with a news release. Over the subsequent months, it would go on to notify current and past employees, dependents of the employees, and regulatory clients, which includes liquor and cannabis permittees, gaming registrants, special occasion permittees and charitable gaming licensees.

Information lost includes names, banking information and social insurance numbers for the employees, and names, contact info, criminal histories and financial information for the regulatory clients — all of which were collected during regulation activities.

Letters were sent to about 15,000 regulatory clients across Canada and about 200 in the U.S. as well.

Some of those affected hadn’t had any business with the SLGA in five years and the authority didn’t know if the contact information was correct, so it posted a notice online to disseminate the information to them that way.

The privacy commissioner said the breach wouldn’t have been so large if the SLGA didn’t keep personal information indefinitely and, while it appears to have a policy, the policy didn’t specify how long information was kept or whether it was being disposed of.

The SLGA told the commissioner it had retained a third party to look into its document management and retention policies, though at the time of the conversation, that work had been delayed because of some coming changes to the authority.

The privacy commissioner made six recommendations to the SLGA on this privacy breach.

Kruzeniski recommended the SLGA post details to its website as to how people affected can request a copy of their information lost in the breach. The commissioner said that information wasn’t proactively provided and some affected people had concerns on that front.

The commissioner also recommended the SLGA include that information in its regular communications with employees and regulatory clients.

Kruzeniski said the SLGA should extend its offer of credit monitoring to affected people to at least five years; it originally offered two years of monitoring.

In preventing future breaches, Kruzeniski recommended the SLGA subscribe to email notifications of security bulletins from the vendor of its content management system.

He also recommended the authority make sure it has the resources to promptly act upon critical vulnerabilities and detect malicious activities.

Kruzeniski said the SLGA should look at how effective its solutions are to detect and block malicious activities frequently.

And, finally, he recommended the SLGA put retention policies and procedures in place right away so the authority isn’t retaining personal information unnecessarily.