Hacking group Black Basta claimed responsibility for a cyberattack on the Yellow Pages. Copies of passports, RAMQ cards, account statements and driver’s licenses: La Presse found on the hidden web samples of confidential information stolen, in particular from Quebecers.
This alleged cyberattack follows a classic ransomware modus operandi, i.e. the gang unveiled samples of the stolen data online on its hidden web blog to put pressure on the targeted company.
In this case, it’s the Yellow Pages, the directory that brings together the information of thousands of Canadian businesses and consumers.
The extent of the information leak is not known.
At the time of publication, the Yellow Pages had not responded to the request emailed by La Presse. On Saturday, a call to the Yellow Pages customer service number ended with the message: “communication could not be established.” The general company number automatically hung up.
At the beginning of April, the Canada 411 website had been inaccessible for a few days, La Presse had seen. Le Journal de Montreal, in an article published on April 7, attributed the outages to a ransomware cyberattack, according to a source familiar with the matter.
“During these hacks, there is a lot of personal information that is exfiltrated. These are trading techniques, because not all the information is published, just a small sample, explains Karim Ganame, head of cybersecurity at Streamscan. The goal is to increase the pressure on the victim. And if nothing is done, all the information will be exfiltrated. »
On the hidden web, Black Basta posted samples of highly sensitive information about several people, including Quebecers. Included are copies of Canadian passports, Quebec and British Columbia driver’s licenses, Régie de l’assurance- maladie du Québec (RAMQ) cards, and a tax return containing the individual’s social insurance.
According to our information, some of this data could be linked to employees or former employees of the company. The Yellow Pages employ approximately 700 people nationwide.
The names of a few companies, anonymized statements of account and the sales contract of an Ontario company are also disclosed.
Copies of a series of restaurant bills located at the same address as the Yellow Pages in Montreal, rue Richardson, have also been made public.
We were able to get in touch with a person whose data was leaked. She preferred not to speak publicly until she secured her information. She confirmed to us that she had not been notified by the Yellow Pages of the situation.
On Friday evening, cyberattack monitoring group BetterCyber posted an alert on Twitter about the attack claimed by Black Basta.
«
Although directly challenged on Twitter, Yellow Pages (the Yellow Pages) did not respond publicly on the social network on Saturday.
“Getting hacked is taboo in general, but it’s not something exceptional,” notes Mr. Ganame. However, a company well prepared for this type of attack would, he said, have a plan to notify those affected by the information leak.
“By default, the Yellow Pages should assume that all internal data has been affected,” adds the expert. People at risk should be alerted, as should the Commission d’accès à l’information.
Companies have yet to grasp the scale of the threats posed by cyberattacks, Ganame said. “They need to act, they need to see the threat is there, and they have a vested interest in deploying the right tools. »
Black Basta is an active ransomware gang. On April 20, London-based business services giant Capita confirmed that it had been the victim of a cyberattack on its part, according to Bleeping Computer. About 4% of Capita’s server infrastructure was reportedly affected.
It was also Black Basta who, in November 2022, attacked the Empire group, which notably operates IGA supermarkets.
Law 25 on cybersecurity, adopted last September, should ultimately better protect citizens in cases of hacking like this. But all is not won, according to cybersecurity expert Steve Waterhouse. The alleged cyberattack on the Yellow Pages “is a typical case to study the full scope of information leaks and agency accountability,” he said. “If I make a comparison with Europe, there they have an obligation to report such an event within 72 hours. Here it is as soon as possible. It is a great distinction. “This is another fine example of security by obscurity – an antiquated way of doing things that no longer has a place in 2023 and beyond,” Mr. Waterhouse also wrote on Twitter. Transparency is key, because once the data has [leaked], it cannot be recovered. »