London Drugs confirms employee data held for ransom
Posted May 21, 2024 5:24 pm.
Last Updated May 22, 2024 6:10 am.
London Drugs confirmed some of its employees’ information has been compromised and held for ransom after a cybersecurity incident that shuttered western Canada stores weeks ago.
In a statement to CityNews Tuesday, the company says it was the victim of an attack orchestrated by a “sophisticated group of global cybercriminals.”
According to B.C. cybersecurity threat analyst Brett Callow of Emsisoft, the criminals are asking for $25 million within 48 hours or else the group will release stolen data.
“With endless revenue, greedy pharma is only willing to pay 8 million, help someone help the poor pharma raise another 17 million dollars,” read an anonymous post Callow found on a dark web site.
London Drugs has not confirmed the ransom amount, nor the nature or extent of employee personal information affected.
“Through our ongoing investigation, we are now aware that London Drugs has been identified by cybercriminals on the dark web as a victim of exfiltration of files from its corporate head office, some of which may contain employee information,” the company stated.
The retailer says it has no indication that patient or customer databases were compromised in the attack.
It added, “nor do our primary employee-specific databases appear compromised.”
London Drugs says it is “unwilling and unable” to pay the ransom that the group is demanding.
“We acknowledge these criminals may leak stolen London Drugs corporate files, some of which may contain employee information on the dark web. This is deeply distressing, and London Drugs is taking all available steps to mitigate any impacts from these criminal acts, including notifying all current employees whose personal information could be potentially impacted,” it said.
It says its review is underway, and the company has provided 24 months of complimentary credit monitoring and identity theft protection services to all current employees, “regardless of whether any of their data is ultimately found to be compromised or not.”
Cybersecurity experts say more needs to be done to fight cybercrime
Professor Richard Frank, the Director of the International Cybercrime Research Centre at Simon Fraser University says usually ransom is asked when your data has not been returned, or there is a threat of releasing the data to the public.
From his understanding because London Drugs is back up and running means that they most likely have their data back but face a threat of it being released.
“If supposedly London Drugs was not to pay, then the hackers could release the data,” Frank said.
The expert says the risk here depends on what specifically the hackers have obtained.
“If it’s employee data, then the employees or their private data is going to be on the internet. They might be targeted for phishing attempts in the future, or maybe there’s some sensitive medical data in there,” he said. “I doubt it but it’s usually credit card details.”
Frank says as far as he knows it’s employee data that is being compromised in this case — not customer data.
He says usually organizations like these get hacked if someone falls into the trap of a phishing email.
“Typically, 90 per cent of these compromises start with a phishing email that has an invoice, an attachment or a link,” he said. “Whoever clicks on it then downloads malware from a malicious website.”
Frank says once the malware is downloaded onto someone’s computer, hackers can access data from their computers.
“My sense is that it was just London Drugs’ turn, they weren’t explicitly targeted, it was just their turn to be compromised,” he said. “Probably someone within London Drugs clicked on it and they got compromised.”
Dominic Vogel, another cybersecurity expert says Lockbit, the cybercriminals behind the London Drugs attack is a Russian-based ransomware group.
Vogel says ransomware groups look for weaknesses in the cybersecurity system and there are many ways they can attack.
“There are many different paths into an organization,” Vogel said. “Whether it be a missing security patch, an insecure configuration — there are multiple ways that they can come in, someone clicking a link that they shouldn’t have?”
Vogel says there’s a greater need for government regulation to remove ransomware.
“There needs to be more pressure exerted at the federal and the provincial level,” he said. “For us to be able to make sure that cybersecurity has the proper regulations that it needs.”
Vogel says investing in protecting digital data is an expensive task, and the government should try to support small and midsize organizations to do that.
“Especially in the retail space where margins are a thing, something like cybersecurity isn’t necessarily going to have top priority,” he said. “It’s so important that we as citizens push to the various levels of government to do more to support.”
Vogel says we live in a different era where crimes are happening digitally, so more needs to be done to protect digital storefronts.