Stacey Scott reports:
The federal government has issued a warning to current and former public service employees, as well as members of the RCMP and Canadian Armed Forces, regarding a recent data breach that took place on October 19th. Officials have identified two companies, Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services, as the sources of the breach. These companies provide relocation support for employees within the federal government.
It is believed that personal and financial information provided by employees to these companies since 1999 may have been compromised. The Treasury Board of Canada Secretariat has stated that due to the large amount of data involved, specific individuals impacted cannot be identified at this time. However, the government is taking steps to mitigate the situation.
Read more at Gillett News.
Although there is no mention of Brookfield on their leak site, on October 6, LockBit3.0 added SIRVA to their leak site, and subsequently leaked data, stating, “Sirva.com says that all their information worth only $1m. We have over 1.5TB of documents leaked + 3 full backups of CRM for branches (eu, na and au).”
The breach occurred weeks before the October 19 date mentioned in the news report, and DataBreaches suspects some Canadian media have confused the date of a government notice or update with the date of the breach itself. The BGRS website has been offline since September 29 and BGRS notified the government of the breach on September 29.
Read the November 17 statement from the Treasury Board of Canada Secretariat.
On November 19, LockbBit leaked SIRVA’s data. In addition to the tranche of data, they posted 17 screenshots and a chat log of negotiations.
The chat log indicates that someone representing SIRVA showed up in the chat on October 6 and asked how much the ransom would be. When told $15 million, the SIRVA’s negotiator asked:
We would like to ask you to provide a detailed file listing showing the files you took from our systems. We need the file listing to show a total data size so that we can compare that against the 1.5TB you referenced on your blog. We will also need you to show us what the three database backups were.
When given a filetree, the negotiator asked: “Are you able to provide file listings that maintains the file path and shows the file size and total file count and data size of each list?”
At each stage, the negotiator for SIRVA managed to get some concessions or information from LockBit, but by October 12, their offer was no more than $1 million, and no further progress was made. On October 18, LockBit’s message in the chat read:
Hello, this is boss Loсkbit, my partner asked if he can make an additional discount and agree to your miserable pennies, I refused him. The thing is that since October 1, according to the new rules it is strictly forbidden to make a discount of more than 50% of the originally announced redemption amount, so the partner has no right to make a discount on a single dollar even if he wants it very much and believed in your funny fairy tales about your poverty and the last possible price for you $7.500.000. I as the Boss will be very happy to see your information on my blog, your information will be kept there forever. The only way to prevent the leak is to accept my last possible price, otherwise you will not only suffer losses from the leak but will be repeatedly attacked again in the future and will not know in what original way your very profitable and successful company was hacked until now. All the best, you can continue negotiations with my partner.
There were a few more interactions after that, but no agreement was ever reached, and the last entry shown is dated October 19. Whether there was any more negotiation in the month between then and the data leak starting is unknown to DataBreaches.
DataBreaches did not download nor examine the data dump, but did a quick attempt to download to see if the download was working. It was, but at LockBit’s slow-as-molasses download speed, it would take almost one month to download each of the .tgz archives.
But what about Brookfield Global Relocation Services (BGRS)?
Is there more data that LockBit has acquired? Is BGRS still in negotiations in LockBit or did LockBit dump everything as SIRVA? If LockBit does have data from BGRS that has not yet been dumped, will we see another data dump soon, or will LockBit try to monetize the data by selling it if BGRS refuses or has already refused to pay ransom?
There is still a lot we do not know about this incident, including why data going back 24 years was able to be accessed and exfiltrated.
This post will be updated when more information becomes available.