Ransomware attacks at two children’s aid societies have spurred the Ontario government to tighten cybersecurity around a new, $123-million provincial database for children in care.
One of the agencies — the Children’s Aid Society of Oxford County — paid a $5,000 ransom to regain access to their sensitive data after the malware attack on their local servers on Jan. 18, according to sources with knowledge of the incident.
Officials with the other agency — Family and Children’s Services of Lanark, Leeds and Grenville — saw an English ransom message flash on their computer screens, demanding $60,000, when they tried to access their database in November.
“It encrypted most of our servers,” says the Lanark agency’s executive director, Raymond Lemay. “No data was taken out of our system. It was just an attempt by whatever you call these people to get a ransom.”
Lemay says his agency didn’t pay up. He says it used an offline backup of computer files to get the agency up and running again in about eight hours.
Cybersecurity experts from the province’s Ministry of Children and Youth Services, along with a private internet security firm, swooped into the agency to neutralize the malware in the infected servers.
“It took them about three weeks to find the needle in the haystack,” Lemay says.
The ransomware attack locked the agencies out of local online files that contained private information on the children and families they serve.
“They might have taken advantage of vulnerabilities that occurred because we were changing over to a new system,” Lemay says of CPIN. That’s one of the hypotheses, but we don’t know for sure.”
Due to the attack, Lemay says the ministry “tightened up” the security protocol used when data is transferred from local societies to the provincial database. “That was one of the lessons learned,” he adds.
About half of Ontario’s 47 children’s aid societies have transferred their data to CPIN. The rest are expected to do so by 2020.
“There have been two recent cyberattacks on children’s aid societies but CPIN has not been compromised in any of these attacks,” the children’s ministry said in a statement to the Star.
“Following these incidents the ministry and Ontario Association of Children’s Aid Societies have reinforced cyber security best practices and protocols with all societies across the province to help prevent similar incidents from happening,” the ministry added.
The children’s ministry spends $1.5 billion annually on a child protection system that serves some 14,000 kids taken from abusive or neglectful parents.
Lemay says the ransomware attack cost his agency $100,000 to fix, an expense covered by his agency’s “cyber insurance.”
Bruce Burbank, executive director at the Oxford agency, confirmed ransomware made data on the agency’s computers inaccessible. He declined a request for an interview and didn’t respond to written questions about the ransom his agency paid.
“Fortunately we were able to restore our computer system the following day and I can confirm that no data was stolen,” Burbank said in an email. “We cannot provide further details of this incident as we do not want to make other agencies (and) organizations vulnerable to similar attacks.”
Aleem Punja, who heads the CPIN effort for the Ontario Association of Children’s Aid Societies, said Oxford was “quarantined” from using the CPIN system for “a couple of weeks” while ministry cyber-experts made sure the provincial database would not get infected.
Punja says he doesn’t know if the agencies were specifically targeted.
Reza Kopaee, director of Toronto-based RiskView cybersecurity firm, describes ransomware as a fast-growing problem. In the last month alone, he says his company was called to help on six ransomware attacks against public or private agencies in Ontario.
“Often they end up paying the ransom,” Kopaee says, adding that the largest amount an Ontario company that he’s attended to has paid was $40,000 (U.S.). Ransoms to unlock computer data are almost always demanded in Bitcoin or other untraceable cryptocurrency, he adds.
“Obviously, there are ethical questions that need to be answered before paying ransom,” he says in a phone interview. “Is it the right thing to do to pay money to someone who is pirating the whole internet? And where does it stop?”
Hackers behind the scams rarely know what agencies or companies they’re attacking, Kopaee adds. They use automated tools that search the internet for weak entry points, grab whatever money they can and move on.
As companies get better at cybersecurity, and opportunities for random attacks diminish, Kopaee expects the attacks to become more targeted and ransom amounts demanded to increase.