[BreachExchange] Unknown number of British Columbians' personal information for sale online after health company extorted

[Sophia Kingsbury]

https://bc.ctvnews.ca/unknown-number-of-british-columbians-personal-information-for-sale-online-after-health-company-extorted-1.5525715

CTV News has learned the personal information of British Columbians has
been leaked online, with an unknown number of people and agencies
potentially still vulnerable, after a data breach at a mental health
services provider.

Homewood Health, headquartered in Ontario with services and contracts
across Canada, acknowledges it was hacked earlier this year and has
recently begun contacting affected companies and agencies whose information
may be compromised, including BC Housing, TransLink and the Provincial
Health Services Authority.

CTV News has confirmed at least some of the information leaked online is
authentic, though the bulk of the data is still on the auction block at
Marketo, a site that describes itself as a "leaked data marketplace."

TransLink has been slow to reveal details about ransomware attack, union
says
There appear to be hundreds of bids from prospective buyers.

“With the assistance of cybersecurity experts, we have been working
diligently to understand how the information was obtained and what
information has been affected,” wrote a Homewood Health spokesperson,
blaming the breach on state-sponsored Chinese hackers, called Hafnium, who
victimized thousands of companies earlier this year. “To date, neither
Homewood Health nor its third-party cybersecurity experts have been able to
find any evidence of any unauthorized access to any of Homewood Health’s
client application systems.”

The company would not estimate how many people’s information could be
compromised, insisting while they were notifying affected individuals as
quickly as possible, “this process will take time.” They provide services
ranging from career and family counselling, to mental health and addiction
support and operate retreats for extended stays.

B.C. AGENCIES NOTIFIED OF DATA BREACH

BC Housing appears to be the agency most impacted thus far.

Personal information of hundreds of employees has already been leaked
online as a “teaser” or sample of the kind of material the hackers possess,
which the provide to try and verify the authenticity and value of the rest
of the data package. https://www.bchousing.org/home

“We are very concerned that Homewood Health documents containing the
personal information of our employees, and potentially their family
members, have been compromised in a data incident,” wrote a spokesperson.
“It is Homewood Health that was breached, and they must take steps to
protect all those involved.”

The agency, which is focused on providing and running affordable and
supportive housing, goes on to say that it's still waiting for critical
information from Homewood Health, including how many people and how much
information could be involved – and what kind of supports it will be
providing for impacted employees.

The sample package also includes a contract between Homewood and TransLink,
plus a document updating a previous agreement with BC Clinical Support
Services, which is overseen by PHSA.

“We have been in communication with Homewood Health and they have assured
us that there was no PHSA employee/patient information included in the
breach they are managing,” wrote a spokesperson. “This contains purely
contractual information and does not contain any personal information.”

TransLink said it was aware of the information for sale.

“This agreement does not contain any personal information of employees of
TransLink or any of its subsidiaries,” it said in an email. “We have since
been in contact with Homewood Health, and given that this is their active
investigation, we will direct all questions to them."

A Homewood Health representative said the hackers had tried to extort the
company over the information, characterizing it as a “dark web” scheme, but
the Marketo website can be accessed by anyone with an internet connection.

“This isn't only on the dark web, Marketo group's site exists on the clear
web too, so it's very easily accessed," explained online threat analyst
Brett Callow, who works for Emsisoft on Vancouver Island. “These types of
incidents are extremely common and there are about 2,500 organizations that
have had their data stolen and published on sites like this -- and that
just within the last couple of years."

THE HACKERS SPEAK UP

Marketo, which has the same name as an online marketing company by Adobe
but bears no connection, calls itself a “leaked data marketplace” but it’s
perhaps more accurate to describe it as an online clearinghouse for stolen
information. The first and most prominent listing currently on its website
is for Homewood Health, and it shows that 289 bids have purportedly been
made for the information so far.

When CTV News contacted the site, a representative countered Homewood’s
description of events, insisting they researched the weaknesses of Homewood
Health and other companies and attacked them directly, insisting they did
not acquire the data as part of the Hafnium hack.

“I got to say it right away that we just sell company data. We do not have
the intention to harm customers or clients of this company,” wrote a
spokesperson identifying themselves as Mannus Gott. “If the company
understands and is willing to accept responsibility for the leak, there
will be no publication. Otherwise, we are not responsible for the safety of
this data.”

They say on Thursday, some of the data will be sold and the rest will be
published.

Homewood says it has contacted police and has hired its own investigators
and experts to advise them.

THE VICTIMS

While extortion and blackmail of companies facing data breaches has become
more and more common, it can be shocking and stressful for individuals
caught up in the scheme.

"They should be reasonably concerned,” said Callow, suggesting they contact
their banks to warn them if notified by Homewood. “The data that's out
there could potentially be used for data theft and given the type of
information Homewood may own, it could potentially be used to blackmail
individuals as well, or attempt to."

Callow pointed out companies that’ve been breached will typically pay for
customers to have monitoring in place after such a breach, adding this
should be a reminder for individuals, companies and other organizations to
take the utmost care in safeguarding their information, including using
patches, updates and opting for multi-factor authentication whenever
available.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210728/5f25b795/attachment.html>