DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Canadian Government Announces Data Breach, Urges Public Service Employees to Take Action

Posted on November 19, 2023 by Dissent

Stacey Scott reports:

The federal government has issued a warning to current and former public service employees, as well as members of the RCMP and Canadian Armed Forces, regarding a recent data breach that took place on October 19th. Officials have identified two companies, Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services, as the sources of the breach. These companies provide relocation support for employees within the federal government.

It is believed that personal and financial information provided by employees to these companies since 1999 may have been compromised. The Treasury Board of Canada Secretariat has stated that due to the large amount of data involved, specific individuals impacted cannot be identified at this time. However, the government is taking steps to mitigate the situation.

Read more at Gillett News.

Although there is no mention of Brookfield on their leak site, on October 6, LockBit3.0 added SIRVA to their leak site, and subsequently leaked data, stating, “Sirva.com says that all their information worth only $1m. We have over 1.5TB of documents leaked + 3 full backups of CRM for branches (eu, na and au).”

The breach occurred weeks before the October 19 date mentioned in the news report, and DataBreaches suspects some Canadian media have confused the date of a government notice or update with the date of the breach itself. The BGRS website has been offline since September 29 and BGRS notified the government of the breach on September 29.


Read the November 17 statement from the Treasury Board of Canada Secretariat.


On November 19, LockbBit leaked SIRVA’s data. In addition to the tranche of data, they posted 17 screenshots and a chat log of negotiations.

The chat log indicates that someone representing SIRVA showed up in the chat on October 6 and asked how much the ransom would be. When told $15 million, the SIRVA’s negotiator asked:

We would like to ask you to provide a detailed file listing showing the files you took from our systems. We need the file listing to show a total data size so that we can compare that against the 1.5TB you referenced on your blog. We will also need you to show us what the three database backups were.

When given a filetree, the negotiator asked: “Are you able to provide file listings that maintains the file path and shows the file size and total file count and data size of each list?”

At each stage, the negotiator for SIRVA managed to get some concessions or information from LockBit, but by October 12, their offer was no more than $1 million, and no further progress was made.  On October 18, LockBit’s message in the chat read:

Hello, this is boss Loсkbit, my partner asked if he can make an additional discount and agree to your miserable pennies, I refused him. The thing is that since October 1, according to the new rules it is strictly forbidden to make a discount of more than 50% of the originally announced redemption amount, so the partner has no right to make a discount on a single dollar even if he wants it very much and believed in your funny fairy tales about your poverty and the last possible price for you $7.500.000. I as the Boss will be very happy to see your information on my blog, your information will be kept there forever. The only way to prevent the leak is to accept my last possible price, otherwise you will not only suffer losses from the leak but will be repeatedly attacked again in the future and will not know in what original way your very profitable and successful company was hacked until now. All the best, you can continue negotiations with my partner.

There were a few more interactions after that, but no agreement was ever reached, and the last entry shown is dated October 19. Whether there was any more negotiation in the month between then and the data leak starting is unknown to DataBreaches.

LockBit dumped what purports to be more than 1 TB of files from SIRVA on November 19. Image: DataBreaches.net

DataBreaches did not download nor examine the data dump, but did a quick attempt to download to see if the download was working. It was, but at LockBit’s slow-as-molasses download speed, it would take almost one month to download each of the .tgz archives.

But what about Brookfield Global Relocation Services (BGRS)?

Is there more data that LockBit has acquired? Is BGRS still in negotiations in LockBit or did LockBit dump everything as SIRVA? If LockBit does have data from BGRS that has not yet been dumped, will we see another data dump soon, or will LockBit try to monetize the data by selling it if BGRS refuses or has already refused to pay ransom?

There is still a lot we do not know about this incident, including why data going back 24 years was able to be accessed and exfiltrated.

This post will be updated when more information becomes available.

 


Related:

  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers
Category: Commentaries and AnalysesGovernment SectorHackNon-U.S.Of Note

Post navigation

← A Hacker Faked His Own Death–Then Claimed To Have Sold Marriott Customer Data To Russians, FBI Says
Poloniex confirms hackers identity, offers $10M white hat reward to return stolen funds →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Government will ‘robustly defend’ compensation claims from Afghans put at risk by data breach
  • Authorities released free decryptor for Phobos and 8base ransomware
  • Singapore Facing ‘Serious’ Cyberattack by Espionage Group With Alleged China Ties
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • 𝐔𝐠𝐚𝐧𝐝𝐚 𝐨𝐫𝐝𝐞𝐫𝐬 𝐆𝐨𝐨𝐠𝐥𝐞 𝐭𝐨 𝐫𝐞𝐠𝐢𝐬𝐭𝐞𝐫 𝐚𝐬 𝐚 𝐝𝐚𝐭𝐚‑𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 𝐰𝐢𝐭𝐡𝐢𝐧 𝟑𝟎 𝐝𝐚𝐲𝐬 𝐚𝐟𝐭𝐞𝐫 𝐥𝐚𝐧𝐝𝐦𝐚𝐫𝐤 𝐩𝐫𝐢𝐯𝐚𝐜𝐲 𝐫𝐮𝐥𝐢𝐧𝐠.
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.