Cybergang behind N.S. breach says it erased stolen data, but experts urge caution

A hacker gang said to be in possession ofsensitive personal information belonging to as many as 100,000 Nova Scotians says it has deleted the data, but cybersecurity experts say the province should be suspicious of that claim.

The Clop ransomware group says it is behind a hack on the MOVEit file-sharing system that has affected users across the globe, including the Nova Scotia government and British Airways.

The group posted a note to its website saying it deleted all the data it stole from governments, citiesand police services. It said it has "no interest to expose such information" from those public bodies. Private companies, however, have until June 14 to contact the group to negotiate a ransom, the message said.

Cybersecurity experts warn that the Nova Scotia government should remain on guard, despite Clop's apparent act of goodwill toward public institutions.

"Clop's claim to have deleted data belonging to public sector bodies should be assumed to be false," said Brett Callow in an email. Callow is a Vancouver Island-based threat analyst with cybersecurity company Emsisoft.

"There is no reason for a criminal enterprise to simply delete information that may have value," Callow said, adding that the data could be sold or traded, or used for phishing a type of email scam that induces people to reveal personal data.

"And even if they did delete it, that does not undo the breach."

100,000 potential victims in Nova Scotia

The Nova Scotia government revealed Tuesday that up to 100,000 past and present public sector workers may have had sensitive personal information stolen in the MOVEit software hack. Officials said the hack was discovered last week and that the data stolen included social insurance numbers, addresses and banking information.

A spokesperson for Nova Scotia'sDepartment of Cybersecurity and Digital Solutions says the province will not be taking Clop at its word.

"This is a criminal organization," Khalehla Perrault said in an email. "We don't consider them trustworthy, and we won't be communicating with them."

Lawrence Abrams, owner and editor-in-chief of cybsersecurity news site bleepingcomputer.com, said extorting governments, military and health-care organizations is more likely to trigger large-scale law enforcement operations. Though there are plenty of examples of gangs targeting public bodies, some, like Clop, likely avoid them, Abrams said.

As for Clop's claim that it erased Nova Scotia's data, Abrams said some groups have made similar claims and then sold the information, or used it for future extortion.

"It is safer to assume that any stolen data is at risk for abuse by the cybercrime operation or other threat actors," Abrams said in an email.

More attacks likely, expert says

Ian L. Paterson, chief executive of the Vancouver-based cybersecurity company Plurilock, agreed that Clop is interested in the biggest payout possible, with minimal risk of getting caught. But like Abrams and Callow, he said it's best to be suspicious about claims the data was erased.

Paterson applauded the Nova Scotia government's communication with the public so far.He said the Clop attack is an opportunity for everyone to take a close look at the systems they use and the data they transmit, and examine if they can better secure it.

"There's just a lot of vulnerable software systems that are open to attack," he said. "And as long as the bad guys are able to monetize them, I think we're going to continue to see more of these attacks."

The Nova Scotia government has said that its investigation into the data breach is ongoing and that it would contact residents whose data was stolen once they are identified.

Perrault said Wednesday that anyone who thinks they might be affected should monitor their financial transactions and contact their bank to report suspicious activity. She also advised keeping an eye on the government's dedicated website about the breach.

MORE TOP STORIES