Suppliers whose data was taken in a Christmas Day hack of the Saskatchewan Liquor and Gaming Authority’s computer systems say the government never informed them that their personal data, including credit card numbers, had been taken.
A man identifying himself as “Jason Walmart” called CBC recently and said he is part of the organization that hacked the SLGA’s systems.
“We downloaded all the private and sensitive information,” he told CBC in a recorded phone call. “We got one-and-a-half terabytes of their confidential data.”
Following the phone call, someone using the name Dr. Clement Goyette sent CBC a link to an “evidence pack” of files, which contained more than 500 megabytes of what appear to be internal SLGA documents.
They include bank records, budgets, contracts, employee data and supplier agreements.
The self-proclaimed hacker said he contacted CBC because the province was refusing to negotiate.
“We tried to reach the company to provide them this information and to start negotiations. They said they don’t care about the problem,” the person said.
Credit card data taken
One of the documents provided by the hackers was a credit card authorization form for Manmohan Minhas, the owner of Minhas Sask, which bills itself as the province’s largest distillery, winery and brewery.
The document included Minhas’s corporate credit card number, along with its expiry date and security code, and Minhas’s signature. The hackers also provided a form that Minhas Sask had submitted to the federal government.
CBC called Minhas to alert him that his data appeared to have been taken in the SLGA hack. He said SLGA never informed him about it.
“Oh boy,” said Minhas. “This is the first time I’m ever hearing about it.”
He said it made him “very concerned.”
“I’ve got to go and check out my credit cards for those months.”
‘I’m pretty livid’: supplier
The hack happened more than three months ago.
On Dec. 28, the Saskatchewan government issued a news release about a “cybersecurity incident at SLGA” that had happened on Christmas Day.
The authority is the main distributor and sole licensing agent for the sale of alcohol in the province. It also regulates gaming and cannabis.
The news release said the Crown corporation had launched an investigation and that “SLGA does not have any evidence that the security of any customer, employee or other personal data has been misused.”
CBC spoke with another SLGA supplier who spoke on the condition that their name not be used, due to concerns about possible negative effects on their business.
The information provided to CBC by the hackers included the credit card information of the source.
Like Minhas, this supplier said SLGA failed to tell them their information had been compromised.
“I’m pretty livid,” they said. “I’m disappointed in the lack of transparency. I feel like they were not totally upfront about the severity of the breach.”
On March 22, more than three months after the cyberattack, SLGA posted an update on its investigation.
“SLGA believes that personal information of SLGA’s regulatory clients may have been accessed or taken by an unauthorized third party,” the authority’s website says.
The Crown corporation said the personal information of “gaming registrants, liquor permit applicants and cannabis permit applicants” had been taken.
The authority says the information it collects includes “names, addresses, phone numbers and in some cases also includes birth dates, place of birth, drivers licence numbers, criminal records, certain medical information, financial information, previous names (e.g., birth name or maiden name), physical characteristics.”
The SLGA supplier who spoke to CBC was not impressed when they learned about that notification.
“I don’t care what they put on their website. They should be contacting people directly,” the supplier said. “They want to cover their ass now.”
In an email to CBC, the Liquor and Gaming Authority said shortly after the hack, it contacted its employees and former employees directly, notifying them that their data may have been compromised.
The organization also said “credit monitoring was offered to employees immediately.”
SLGA’s statement says nothing about notifying its customers or suppliers about a possible breach of their data. The statement also says nothing about offering credit monitoring to anyone other than its employees.
The authority says it knows that its “data was access by criminals,” but it doesn’t know precisely what was taken or what those criminals may have done with the information.
“We have not had sufficient evidence to indicate what information was taken,” says the SLGA’s statement. “Nor has there been any information to suggest it had been misused.”
Brett Callow, a threat analyst with the cybersecurity firm Emsisoft, said SLGA’s response is utterly baffling, given that it has failed to contact all the people who may have had their data stolen.
“How do they know whether or not a customer’s credit card info is being misused if they haven’t let the customer know?” Callow wondered.
He said that since the SLGA knows so little about what was taken in the hack, it should have assumed the worst.
“If they cannot specifically identify the scope of the attack, and what information was taken and what wasn’t, they have to err on the side of caution and let people know that their information may have been taken,” he said.