Manitoba insurance and financial brokerage failed to disclose ransomware attack

A Manitoba-based insurance and financial brokerage catering to clients across the Prairies has fallen victim to a ransomware attack that it hasn't publicly disclosed.

Andrew Agencies, based in Virden, Man., appears on a list of targets published online this week by an international cybercriminal gang that claims to have locked down the company's machines and stolen its data.

"Andrew Agencies can confirm that it has recently dealt with a security breach incident involving ransomware," the company's lawyer Dave Schioler said in an email response to questions from CBC News.

"We have taken this matter very seriously and have expended considerable resources in the investigation and remediation of this incident," he said.

Since 2018, Canadian privacy law also requires companies to report to the Office of the Privacy Commissioner (OPC) any breach of personal information that could "pose a real risk of significant harm to individuals."

On Tuesday, an OPC spokesperson said it had not been notified of a ransomware attack at Andrew Agencies.

The company, whose website lists 18 branches, mainly in small towns across Manitoba, Saskatchewan and Alberta, said Wednesday it had found "no evidence" that "sensitive" personal details had been jeopardized.

According to its website, Andrew Agencies offers a variety of services, from home and auto insurance to financial planning. It was established in Virden in 1913.

It also started a broadband voice and data business called RFNow Inc. in 2000 that has since grown into an internet service supplier across southern Manitoba.

The company didn't say who has been notified of the cyberattack, but did specify that the company hired third-party experts to root out the problem.

The cybercrime group known as Maze claimed to have used malware to lock 245 machines belonging to the company, as early as Oct. 21. The group did not respond to CBC's messages seeking verification.

Andrew's name appears in a list of organizations that Maze wrote "don't wish to co-operate with us, and [are] trying to hide our successful attack on their resources." The gang is reported to have ties to North Korea, but its location is unknown.

Maze's website lists IP addresses purported to belong to the locked machines at Andrew Agencies. The addresses correspond with computers,servers or other deviceslocated in Virden, as well as elsewhere in Manitoba, Saskatchewan and Alberta.

The hackers claim to have stolen 1.5 gigabytes of data from Andrew Agencies. That's enough to potentially include hundreds or thousands of word processing or spreadsheet files, although it's unclear what information was stolen in this case.

On its public website, Maze threatens to release "databases and private papers" belonging to the Manitoba firm and other victims.

Schioler said the incident has had "minimal impact on our operations."

A Toronto-based cybersecurity expert familiar with Maze said "there is no doubt zero doubt that these guys actually steal data." However, Ed Dubrovsky, Cytelligence's chief operating officer, said he'sskeptical of the group's claims when it comes to some specifics.

Having analyzed the gang's attacks before, he said the amount of data that Maze claims to have "exfiltrated" is typically 10 to 15 times more than what they really stole.

"It is still significant, though," Dubrovsky said.

'Horrified' no disclosure was made

What also worries some industry people, however, is Andrew's reluctance to publicly disclose what happened.

"If customer data did or even may have been exfiltrated, I'm horrified that no disclosure was made," said Brett Callow, a B.C.-based spokesperson for international cybersecurity firm Emsisoft.

Ann Cavoukian, a former Ontario privacy commissioner, said the best practice for companies targeted by cyberattacks is to be forthcoming with customers.

"It does them more harm by sitting on it, trying to cover it up, trying to stay silent, in an effort to protect themselves," said Cavoukian, who now serves as executive director of the Global Privacy and Security by Design Centre in Toronto.

She pointed out that companies have no way of knowing who has access to files once they have been taken or what may be done with the data.

Until recently, cybercrime groups were known to simply encrypt files infected with ransomware in an effort to get the victim to pay for decryption. Maze's public posting of purported victims and its threat to release further data signals an escalation in the threat, experts warn.

No ransom paid

Schioler, Andrew Agencies' general counsel, said the company was still assessing "the gravity and extent" of the incident. He said an investigation was "near complete but still ongoing."

He added the company has been in touch with "the individuals claiming to be responsible" and said Wednesday the company had not paid a ransom.

Attackers often leave a note demanding payment in digital currency to unlock the victim's computer. Dubrovsky said Maze is known to conduct research on a target to determine the ransom amount. He said the figure can range from $500,000 to $10 million.