'I have seen very sophisticated emails,' says national cybersecurity lawyer offering tips after London Drugs cybersecurity breach
Late last month, a major cybersecurity breach at pharmacy chain London Drugs shut down all 79 stores for several days. The Canadian company is now reportedly facing a $25-million ransom for employee data.
The electronic files were stolen from London Drugs’ corporate office on April 28 and are being held by a “sophisticated group of global cybercriminals”, the company confirmed to the Times Colonist.
In an internal memo obtained by Global News, London Drugs informed employees that they are “not yet able to provide any specifics on the nature of employee personal information potentially impacted… This is because there are a large number of unstructured corporate files that are not in consistent format and each must be individually reviewed.”
Large caches of stored employee data pose extra risk
London Drugs said the “process of individually reviewing each compromised file” is underway, Global News noted; a potentially onerous task, especially when large organizations store employee files for years longer than they need to, says Kirsten Thompson, partner and national lead of Dentons’ Privacy and Cybersecurity group.
“It costs money and effort to get rid of information and not retain it indefinitely – it's easy to retain information indefinitely,” says Thompson.
“The problem with that is that if a threat actor gets into your system and gets the employee information, instead of getting one, two or three years’ worth of information, if you are one of those hoarding types of institutions that never deletes anything, they can get 15, 20, 25 years of information.”
If this occurs and notification statutes are triggered, employers risk being unable to conduct adequate notification of the breach, she says.
“They may well be ordered to post something on their website or make a press release or something like that,” Thompson says. “Most organizations really don't want to go down that road if they can avoid it.”
Train, retrain employees on protection from cybersecurity attacks, phishing
“Train and retrain” employees about phishing scams, fake emails and other security risks, Thompson says, including mock phishing exercises with additional direct or remedial training for employees who are weak to attacks.
“This is nothing new. Hackers, threat actors, bad guys, go for whatever they can monetize the fastest. So that is either directly for money, or something they can turn into money,” she says.
“In the context in which we're speaking, that's going to be sensitive personal information. Sensitive personal information usually is found in HR… So that's the first step organizations can take, is understand where their sensitive personal information is and protected accordingly.”
However, all the training programs in the world cannot prevent the simple issue of human error or misjudgement, Thompson says, which is why it is so important to be vigilant about training.
“I'm fond of saying that you can have all sorts of cybersecurity and IT, and data protection software installed, and all sorts of monitoring equipment and whatnot, but no matter what, you still have ‘Bob’. Bob is your weak link,” she says.
“Phishing is still a common access point into an organization’s system, simply because Bob is the weak link. … The threat actors will get in through ports that are left open to other sorts of access points, so it's a failure of cybersecurity, but the more common one is a failure of employees or personnel within the organization, the social engineering phishing attacks.”
HR-related emails top strategy for phishing hackers
HR-related phishing emails remain the most-clicked attack emails in a phishing test run by KnowBe4, topping the list of hacker email subjects for the third quarter in a row at 42% .
Topping the list of phishing email subjects was “Important: Dress Code Changes” and “Your Training Past Due”.
Phishing tactics are always evolving and becoming more sophisticated, Thompson says.
“For every action, there's an equal and opposite reaction, so the more sophisticated the good guys get, the more sophisticated the bad guys get,” she says.
“Those Nigerian prince emails are lovely antiques. I have seen very, very sophisticated emails, and don't forget the threat actors are generally associated with organized crime, so this is a volume operation.”
Hacker organizations will send out hundreds of thousands of emails, Thompson says: “All it takes is for one of those to get through and then they're into the systems. So, it's very tough to protect against.”
Two-step verification to combat phishing scams, employee data breaches
Thompson recommends shifting to a system that involves a two-step verification of links and senders, where employees are required to phone colleagues or sources to check the legitimacy of emails and attachments.
“The idea is that it's harder to get past two people than it is past one,” she says.
However, this extra security does slow things down, Thompson says.
“I've also seen instances where you train your people so much that they're so scared of clicking on anything that the business grinds to a halt. So this is a real dilemma.”
Subscribing to third party threat intelligence agencies is also recommended, who will install firewalls and other protections, she says.
“These organizations monitor the bad traffic and the dark web and they filter out anything coming from these sorts of locations. So that will catch most of it, and then [with] the rest, you’re reliant on your people.”
Privacy considerations with cyber attacks on employee data
Employee personal information isn’t necessarily protected by federal law but by provincial statutes, says Thompson, who recommends employers ensure they are abreast of whichever laws govern their privacy obligations, in every jurisdiction where there are employees working.
“At a bare minimum, you need to have that information handy, and understand how you're going to manage these things, either in advance with an advance plan, or at least have counsel advising you what those obligations are when you're in the moment,” she says.
“Generally speaking, you don't want to be dealing with this in the moment. If you could do any of this work in advance, then you probably should be doing that.”
Since large stores of employee data pose significant logistical, financial and even reputational risk to organizations, Thompson does not recommend keeping employee files any longer than what is minimally required by law.
Plus, if employee files contain other personal information such as dependants or emergency contacts, this multiplies the number of people who need to be contacted in the event of a breach, she says.
“Organizations do need to be aware that employee data reserves are particularly vulnerable, because they're an attractive target for threat actors,” she says.
“We're seeing, more and more, the threat actors go for the HR and employee files, because they know that's where the sensitive information is, and they're more likely to be able to extort money because of that.”
After an attack: internal messaging around employee data breaches
On May 23 London Drugs said the hackers released a portion of the stolen data because it refused to pay ransom, CBC reported.
London Drugs said in a statement that the situation is “deeply distressing” and that it is notifying employees who may have personal information at risk and offering them free credit monitoring and identity protection services.
What sets employee data breaches apart from customer breaches, Thompson says, is that “the employees are all still there.” As opposed to customers who are notified via mail or email with minimal “blowback”, employees talk to one another, she explains, which can create incorrect messaging.
“They may not know their information is impacted, but they will know when the organization stops functioning or the stores have to shut down, and then they talk amongst themselves,” she says.
“So it's very easy for a message, or the wrong message, to get out very quickly.”
How any given organization handles internal communication and messaging depends on its company culture, she says.
“One of the things organizations think of as part of their ‘breach response playbook’ is how they will manage the internal communications to employees, to get everybody on the same page and make sure everybody has the same information.”
