Joe Masoodi is a senior policy analyst at Toronto Metropolitan University’s Leadership Lab, conducting research and policy analysis at the intersections of surveillance, technology, and security.
A single incident almost three months ago cost one of Canada’s biggest companies around $25-million – about 13 per cent of its earnings that quarter. And yet, officially, we don’t know exactly what happened.
Here’s what we do know, thanks to whistle-blower employees, media reporting and belated corporate admissions: On Nov. 4, Empire Company – the Nova Scotia-based conglomerate that owns around 1,500 grocery stores across Canada, including Lawtons, IGA, Safeway, Farm Boy, Foodland and Sobeys, the second-largest supermarket in the country – acknowledged that what it had previously described as a relatively benign “information technology systems issue” was in fact a “cyber security event.” Some of the chains’ pharmacies were unable to fill prescriptions for a week; the event caused inventory shortages, and threw ordering and payroll systems into chaos. Employees eventually told the CBC that stores had been hit by a ransomware attack – a type of malicious software deployed by bad actors who seek to gain control of an organization’s network, deny legitimate users access to their systems and devices, and demand a large sum of money in exchange for decryption. Attackers often threaten to delete, disclose or sell off the stolen data, adding further pressure on victims.
This kind of cybercrime is on the rise. The COVID-19 pandemic, and the resulting shift to remote work in mostly white-collar industries, has accelerated the use of internet-connected technologies which, among their varied effects, are making companies of all sizes more vulnerable. Attackers may be getting more brazen and more willing to disrupt essential societal infrastructure, too: Earlier this month, the British postal service was unable to send mail abroad, after the Russian-affiliated criminal group LockBit stole information and threatened to publish it online, and in December, Toronto’s Hospital for Sick Children suffered a cyberattack by a LockBit-associated hacker that prompted a system failure that lasted for weeks. And with more and more companies looking to turn our data into dollars – and as these companies increasingly consolidate their work and datasets through buyouts and mergers – these firms may be making themselves bigger targets, and sometimes without a commensurate increase in cybersecurity measures.
But in Canada, most businesses are not required to report such incidents, even though experts say that the lack of data and reporting has allowed these cyberattacks to flourish. That means that Empire, currently the 64th-largest Canadian company by market capitalization, doesn’t need to tell Canadians what happened – and we don’t realize how at risk we are.
Ransomware attacks are social as much as they are technical; the victims are human, and perpetrators are, too, even if they’re hidden behind screens. The consequences of cybercrime in general go beyond financial costs to organizations, too; those costs eventually trickle down to the everyday consumer, and crucial services provided by organizations can become debilitated, as Empire’s pharmacies were. It is also highly distressing for individuals to learn that their data have been stolen, as information in the wrong hands can lead to identity theft and fraud.
So rather than viewing attacks purely as a technological concern, the sociological forces that give rise to the phenomenon – including the perpetrators’ motivations, the victims’ response to being ransomed, and the ways both organize and interact with new tech – need to be understood. To do so, we need to actually talk about our data.
An evolving and thriving ecosystem underpins ransomware attacks. Many of them are carried out by groups located around the world; by operating in many jurisdictions, they can more easily evade capture. Although Accenture’s Cyber Threat Intelligence Report identified LockBit and Conti as two of the most active ransomware gangs, these groups often “retire” or rebrand, making it a challenge to keep track of them. New threat actors have been emerging, and existing ones are becoming more ambitious, especially since the ransom money can enable more attacks and other types of crime.
These groups have also changed how they organize themselves over the years. One group, for instance, may specialize in one aspect of a ransomware attack – such as gaining initial access to a network, stealing data, demanding payment or laundering payments, often in the form of cryptocurrency – and work with another group that specializes in another skill set to carry out the attack. Outsourcing certain elements of the crime usually produces greater economic yield, and makes attackers even harder to catch.
There has also been an evolution in the strategy and ransomware strains that allow threat actors to gain control of organizational systems and devices. Indeed, security researchers from Sentinel Labs have linked the Empire ransomware attack to a relatively new and increasingly popular strain created by Black Basta – a gang with ties to financially motivated Russian hackers known as FIN7. The Black Basta strain was also responsible for a ransomware attack on the meat processor Maple Leaf Foods in early November, around the same time the attack on Empire took place, possibly suggesting a broader strategic shift by attackers toward the food sector.
Increasingly, data theft is becoming a major weapon among cybercriminal groups, which sometimes even forgo the deployment of ransomware by directly stealing the data and selling them. This may have been the case in the recent cyberattack experienced by the Liquor Control Board of Ontario, in which credit card and other personal information of some customers who made online purchases may have been stolen. As of yet, the LCBO has not said it was a ransomware attack – only that “malicious code” was installed.
Once attackers gain access to an organization’s network, they often take their time to identify the information that is the most crucial to an organization’s operations and the most embarrassing if leaked. In a study conducted by CrowdStrike Intelligence, “ransomware-related data leaks” have increased 82 per cent in 2021, compared with 2020. IBM also found that ransomware and data theft were two of the top three types of cybercrime in 2020, with the latter increasing 160 per cent from the year before. Research shows that ransomware gangs are taking particular aim at small-to-medium-sized enterprises, which are least equipped to handle such attacks.
The pandemic only accelerated all these pre-existing trends in cybercrime. Remote work, driven by COVID-19, further encouraged companies to move their operations to the cloud, creating a new potential liability. The pandemic also disrupted work behaviours, and as the authors of a briefing note produced for the International Monetary Fund warned, employees’ increased use of personal devices and low levels of security awareness posed serious cybersecurity risks. Attackers appear to have taken note: In a survey conducted by Deloitte, 25 per cent of respondents reported an increase in fraudulent e-mails, phishing attacks and spam to their corporate accounts since the start of the lockdowns – tactics used by cybercriminal groups to gain network access.
The increase in scale and impact of such attacks is also reflected by the number of victims paying out their ransoms, which can encourage further attacks. A Statistics Canada survey found that 82 per cent of affected companies did not pay out the ransom, but experts believe those numbers are skewed by an overwhelming preference by companies to not report attacks. Inspector Lena Dabit, the head of the RCMP’s cybercrime investigative team, has said that cybercrime is “grossly underreported” because organizations feel a stigma about being targeted. In one case, said Insp. Dabit, the RCMP had managed to recover cryptocurrency held by a Canadian ransomware attacker, but some companies actually refused to accept their stolen funds, preferring not to acknowledge it. “We could have given them their money back,” she told ITWorld, “but they didn’t want the publicity.” This shame gives cyberattackers leverage.
Researchers have also noticed more big-game hunting since the start of the pandemic: the selective targeting of high-value companies, ones that attackers believe will not be able to sustain long periods of network disruption, and the direct pursuit of key managers who hold greater network privileges within them. In addition, attackers are focusing their attention on companies that provide multiple services and that have supply chains they can also infiltrate, which help scale their attacks by targeting the victim’s clients.
And there’s more big game to be had. The growing consolidation of smaller companies into big-box stores – particularly in Canada, where there is little competition in a number of major sectors – may make them more desirable targets. These chain stores operate in an environment where they often keep data continuously flowing. Modern grocery chains such as Empire, for instance, remain largely interconnected and interdependent through the networking of inventory-control, accounting and payment systems. In addition, the practice of collecting high-value personal and sensitive information – about finances, health, IT security or intellectual property – has become increasingly common among businesses.
Indeed, what makes the Empire case particularly interesting is its data-handling reach, which was extended when it acquired an ownership stake in the loyalty program Scene+ last summer. Such programs are on the rise among many companies, from credit cards and telecoms to big coffee shops and even local bars. Scene+ has access to significant amounts of personal and sensitive information; it collects, stores, analyzes and shares aggregated shopping data, creating detailed profiles of groups of individuals often for marketing purposes, and which may be also sold to third parties. Empire has said that the ransomware attack did not breach personal information (though the privacy commissioner’s involvement in the investigation may tell another story); even still, Empire’s Scene+ entanglements raise cybersecurity concerns.
These increasingly common programs are rich veins for data that can be used by companies to improve organizational decision-making or, in some cases, be sold to advertisers. But even the basic personal information that can be attached to loyalty programs – names, addresses, phone numbers, banking details – makes companies that use them even more tantalizing targets for criminal groups online. As Canadians continue to connect to the world (and the economy) through digital technologies, the exchange of information produced through those interactions by different data handlers continues to proliferate, often to an extent unknown to the consumer; as these systems stack on top of each other, the security risks and vulnerabilities multiply. Protecting ourselves from potential cyberattack means becoming aware of what kind of data we’re leaving behind by engaging with companies and technology, and becoming aware of what exactly makes our data valuable.
Yet, despite their overindulgence in data collection, many organizations have often been criticized for their poor data-handling practices, including cybersecurity. It’s not clear that the many organizations that have transitioned into big data companies are equipped for the cybersecurity responsibilities they need to have as a result.
The Canadian government has, in some ways, responded to these cybersecurity concerns. The Trudeau government’s proposed cybersecurity law, Bill C-26, would require organizations that are deemed to be critical infrastructure to report cybersecurity incidents to the government and impose data protection obligations – otherwise face steep fines. The bill also includes other provisions granting the government additional powers to essentially oversee cybersecurity practices and have organizations add, remove or modify systems and processes.
This is an important first step. But the bill has received criticism for lacking accountable governance and for its potential to infringe on rights. The Cybersecure Policy Exchange has also demanded greater clarity on the transparency and oversight of these fairly sweeping powers, such as through the National Security and Intelligence Review Agency. And Bill C-26, even as it exists today, would not apply in the case of the ransomware attack on Empire, as the company does not fall within one of the federally defined categories of critical infrastructure – even though it is hard to argue that one of the country’s few major supermarket chains doesn’t count as essential.
There are, of course, ways for organizations to minimize risks posed by ransomware. Organizations can look to government resources that lay out technical measures, including by the Centre for Cyber Security, aimed at prevention. Measures can include penetration testing to find vulnerabilities in systems, the application of the principle of least privilege, which sets out that users should only have the specific, essential data access they require; and ensuring that employees all use multifactor authentication. But technical measures alone are not sufficient in preventing attacks. Since cyberattacks often exploit human weaknesses, public awareness and education also play a central role, and to that end, organizations need to be open and transparent about cybersecurity – including about what security measures are in place (or not) to keep our data safe and operations uninterrupted.
Governments of all levels – including provinces and municipalities, which can lead in their areas of responsibility such as energy, water, transportation, health and education – also have a role to play. In Australia, ransomware is acknowledged as “the most serious of cybercrime threats,” and both major political parties have released strategies and law reforms to tackle it. Last year, it became the first country in the Group of 20 to have a dedicated minister of cybersecurity, Clare O’Neil, making clear that the issue is a priority.
Several active policy discussions and proposals have taken place there, including conversations around the need for greater international co-operation and law enforcement operations; the establishment of a multiagency task force within policing dedicated to combatting ransomware threats; various legislative changes aimed at going after cybercriminal proceeds and seizing cybercriminal assets, establishing various strategies and frameworks surrounding cyberoperations and bolstering public awareness on cybersecurity threats such as ransomware. In 2021, the Australian government expanded its definition of critical infrastructure from four to 11 sectors, requiring more organizations to report cyberincidents, which would help identify the main threat actors. And introducing stricter laws for organizations to protect user data, as the European Union has enacted, should also be a priority.
Each of these moves may have their benefits and limitations, but at very least, they move the discussion forward – something that needs to be done in Canada.
The recent wave of ransomware attacks will likely continue to be a growing fact of modern society. Understanding the organizational and behavioural changes of the cybercrime ecosystem, the nature of the ransomware attack itself, and how individual Canadians think about cybersecurity in general, can act as a springboard to a wide range of policy, legislative and regulatory solutions required to stem the rise in attacks. The time to jump is now.