How Bad Was the Cyberattack on the Sault Police?
… pretty bad.
On or around August 26th, the Sault Ste. Marie Police Service (SSMPS) was the victim of what’s been described as a ‘ransomware’ attack. Although there’s been some coverage in local news sources and two months have elapsed, it’s still hard to discern the severity of the attack. Based on some new information that I’ve received and the unusual brevity of the last Police Services Board meeting, I think it would be fair to say that its full extent has been downplayed.
To put it bluntly, the attack was devastating, although you’d probably not appreciate that if you were reading what’s already been written about it.
In the Police Services Board meeting on October 28th, it took just five minutes or so to present substantive business before moving onto the in camera portion (the portion that happens in private). The usual statistics gleaned from the internal SSMPS reporting – things related to calls for service, use of force reports, arrests, etc. – were all missing because of the cyberattack. Chief Stevenson was the most candid anyone from the SSMPS has been so far, offering an apology and explaining the absence.
Yet there were no further details released about what’s actually going on and nobody seems like they’re in a hurry to find out.
Before we get to the cyberattack itself, a bit of context is useful.
Most will be familiar with hacking methods that release customer data (i.e. what’s entered when making an online purchase). Hackers have released millions upon millions of data profiles in online dumps and then a larger group of hackers will pore over the profiles attempting to use an individual’s personal data to gain unauthorized access to different accounts. For example, if you use the same password for multiple websites, the data stolen from one breach (an online retailer) might be used to log into a completely separate site (online banking).
The consequences can be disastrous, which is why it’s so good to see companies and websites stepping up their authentication methods (there’s still a long way to go though). If you suspect that personal information that you’ve provided online was part of a previous data breach, there’s a website for that: https://haveibeenpwned.com/
‘Ransomware’ is much different. It’s a form of cyberattack in which those without direct access to a computer system surreptitiously gain access to valuable data for a criminal purpose. They then encrypt (lock) it remotely and/or steal (download) it. Either way, their access to valuable data allows them to extort the owners of the system, who sometimes pay hefty sums to regain access and/or prevent the public release of their data.
The people who conduct these attacks are, to put it mildly, not playing by the rules of a civilized society. Just a few days ago, the province of Newfoundland experienced a potential ransomware attack that knocked out the “brain” of their health data system, leading to a wave of cancelled appointments, health and government officials scrambling to restore scheduling, and people wondering when they’ll be able to access care. All of this during a pandemic, no less!
Sophisticated cyberattacks that gain direct access by working around cybersecurity systems are typically rare. It’s much more common for hackers to send spoof emails directly to an organization (‘phishing’) that either result in individuals providing data (like passwords that can be used to gain access to internal data systems) or directly downloading and opening malware (sometimes referred to as ‘Trojan horses’). From there, ransonware propagates itself throughout a data system, wreaking havoc upon an organization and potentially exposing sensitive information.
A local source with ample cybersecurity experience tells me that there have been several significant cyberattacks in Sault Ste. Marie in the last year or so (that they know about). Although the source couldn’t disclose the victims of these attacks (and we shouldn’t ask), they were able to say that they affected high profile organizations. Some will remember that Sault College was earlier a victim of a cyberattack, but the source confirmed that there were others that didn’t make the headlines, including one in which a local company paid a ransom because they simply couldn’t operate without access to their data.
Recently, the Canadian Internet Registration Authority – a non-profit that oversees Internet domains registered in Canada – presented some statistics in its annual Cybersecurity Survey, which included responses from “510 cybersecurity decision-makers.” Whether or not this survey sample is representative of Canada as a whole, the statistics are sobering:
“In the past 12 months, almost one in five (17 per cent) organizations have been the victim of a successful ransomware attack. Of that group, a majority (69 per cent) say their organization paid the ransom demands, while 59 per cent report that data was exfiltrated. Organizations may be paying extortion fees because they fear damage to their public image.”
Hackers seem to have moved onto riskier targets with the promise of hefty ransoms in recent years, targeting large-scale infrastructure projects (like pipelines) and a range of public services (like hospitals). Police services, the people who you’d think would be tracking down these digital thugs, are also becoming prominent targets. As the Associated Press reports:
“Criminal hackers are increasingly using brazen methods to increase pressure on law enforcement agencies to pay ransoms, including leaking or threatening to leak highly sensitive and potentially life-threatening information.”
Earlier this year, news broke that a series of police departments in the United States were victims of cyberattacks. According to Scott Briscoe of Security Management:
“Data from the [Washington D.C.] Metro Police attack leaked on the dark web on 26 April, with the threat the more data would be leaked if the hackers’ payment demands are not met. The attackers claimed to have stolen 250 gigabytes of data, including details about police informants, gangs, and gang activity.”
Given the sensitive nature of the data police services collect, it probably shouldn’t be surprising that they’ll be targeted by cyberattacks if there’s a reasonable chance the perpetrators will never be identified.
The potential consequences of such attacks aren’t just confined to the release of sensitive data, but also the erasure of data. A small town in Florida saw prosecutors allegedly drop criminal charges as a result of a police department suffering a ransomware attack. If such attacks continue, wide-scale losses of data could lead to less effective criminal prosecutions elsewhere.
So what exactly happened at the SSMPS?
Here’s how the situation was recently described in (separate) communications to the Information and Privacy Commissioner (IPC) of Ontario:
“For the past six weeks, basic technology within the Service has consisted of a telephone and fax for administrative matters. No computer or laptop or external device can be used for basic clerical without time-consuming testing and scanning for viruses, malware, or anything of a further harmful nature. Just two days ago [October 6], department heads and supervisors began to receive access to emails on their cell phones (after being without even email access since August 26, 2021). Nothing on our servers and/or old networks is accessible and we anticipate that much was expunged during this attack.”
This is much worse than what’s been previously reported.
On October 1st, someone from the SSMPS told me that “[they] have put out public media releases confirming that no internal data or personal information has been compromised as a result of the cyber attack.”
That’s true: a month earlier, the SSMPS told the Sault Star that they didn’t believe any ‘sensitive information’ had been accessed. However, at that point, they also said that they’re unfortunately “still experiencing IT issues,” which appears to be quite the understatement.
More importantly, if “much was expunged during the attack,” where did it go and what was expunged, exactly?
We still don’t know, but there’s more.
The SSMPS also noted in its (separate) communication to the IPC that “[o]ther Police agencies are now involved in this criminal investigation and our Service is in the process of hiring an outside company to rebuild our servers, networks, and desktop computers.” That sounds like the entire internal system has been compromised, not merely some ‘IT issues.’
Further, they’re currently “working closely with the Ministry of the Attorney General to continue to successfully prosecute criminal cases.”
Does this mean that some of the “expunged” data directly bears upon criminal cases that could be jeopardized during prosecution as a result of this?
Barring sensitive data being leaked online in an effort to exact a ransom from the SSMPS, this is probably the worst-case scenario.
When I asked the SSMPS directly about the severity of the attack after learning about these new details, I received this response:
“Unfortunately I cannot comment on anything regarding the cyberattack other than to advise you that it is standard protocol for a police service to notify the IPC that a system was breached by an unauthorized outside party. As the cyberattack is currently an ongoing investigation, the service is not in a position to provide any further information at this time.”
Fair enough, but they also waited four days to notify the IPC, which probably isn’t standard protocol. When I asked the SSMPS if they had notified any individuals about their personal information potentially being compromised, they just didn’t respond, which sadly isn’t atypical.
Likewise, the IPC hasn’t yet responded to specific questions related to the severity of the cyberattack. They informed me that they “are working with the [SSMPS] to learn more about the situation. As this is an active file with our office, [the IPC] cannot provide further details until we have more information about the specific circumstances of this incident.”
That doesn’t sound like they know much about what happened, either.
Typically, the IPC will conduct an investigation if the potential data breach was severe enough, especially when there’s sufficient evidence that unsatisfactory cybersecurity protocols contributed to a breach of personal information. According to the IPC:
“While investigating potential privacy breaches, we examine the causes of the breach, as well as the organization’s response to the incident. We look to establish whether the breach has been contained, the appropriate people notified, and whether corrective action has, or should be, taken to ensure the incident does not happen again.”
There are so many questions that have been unasked and unanswered so far.
First and foremost, how did the cyberattack actually happen? Did a SSMPS member leave the digital door open, so to speak, or was it a more sophisticated breach of their cybersecurity system? In speaking with the local cybersecurity source, there are likely two broad scenarios, neither of which bode well for the SSMPS.
Based on the information that’s presently available, it’s reasonable to assume that this was a targeted cyberattack, with intentions that exceed just sowing some chaos. The SSMPS have said that there isn’t a ransom demand, but two months have elapsed without much progress. Other police services are investigating and the SSMPS is working with a company to rebuild what looks like a majority of its internal data network.
When the SSMPS says that much of its data was “expunged,” does that mean that it was erased or otherwise lost, or that it could potentially end up posted among the inner recesses of the dark web?
If we assume that it was a targeted cyberattack but there wasn’t a ransom demand, perhaps that’s because the SSMPS were able to limit the extent of the damage once they realized what was happening. It’s possible that their response made extracting sensitive data and subsequent extortion impossible. In this scenario, it’s a targeted attack that was just unsuccessful, in the sense that the criminals just couldn’t monetize their chaos.
According to the local cybersecurity source, it’s very rare that a cyberattack targets a high-profile organization like a police service without ambitions for extortion.
If this is the case, however, the SSMPS should be more transparent by telling the public which forms of its data were damaged, destroyed, or are otherwise potentially compromised. Given the sensitive nature of their data collection and storage, anyone whose data may be compromised deserves to know. Or, in the absence of any further details, which is where we are now, they can explain why we shouldn’t be worried. Considering that the SSMPS initially described the attack specifically as a ransomware attack (at least at first), the curious lack of ransom ought to be explained.
Alternatively, the attack could have been the result of garden-variety malware, the kind that members of an organization unfortunately mistake for credible emails or attachments all the time. It might infect just one computer or device and then make its way throughout an entire system, rendering significant portions inaccessible without any tangible benefit for the responsible hacker(s) (aside from basking in the chaos).
The probability of this scenario is arguably lower, since it’s reasonable to expect that members of a police force – those entrusted with sensitive data collection and storage – will have a modicum of cybersecurity literacy. Further, it seems somewhat unlikely – given the heightened cyberattacks on police services recently – that this would be coincidental timing for a digital slip up at the SSMPS.
In this this scenario, the cyberattack wasn’t targeted, but it was nonetheless devastating. If this is the case, the SSMPS should still be transparent about the precise nature of the cyberattack. If it wasn’t a targeted attack, it probably means that poor cybersecurity systems and practices played a larger role in the cyberattack, but it also means that the public has less to worry about (i.e. sensitive data swirling around the dark web).
Finally, who’s in charge of cybersecurity at the SSMPS, anyways?
We should expect them to have the most comprehensive digital security possible within their financial and technical means. Likewise, the City of Sault Ste. Marie should be using this tragedy as an opportunity to update all of its associated cybersecurity systems. If something like this can happen to the police, how would other public organizations fare? Some of them collect and store data that would be very attractive to roving cybercriminals.
In the IPC response, they included a litany of resources that institutions can consult for more information about protecting themselves from potential cyberattacks, ending with this key point:
“Ontarians need to be able to trust that public institutions will keep their personal information safe and secure.”
I couldn't agree more, but without the public being privy to the severity of the attack, and specifically what’s at stake, we have no idea if the SSMPS is deserving of that trust.
Best practices include, at the very least, an external firewall to prevent potential intruders and organizational education to ensure members are not susceptible to deception when they come into contact with potential ransomware attacks (usually via email). If the IPC pursues a formal investigation, the public might learn more about what allowed such a tragedy to transpire.
To be fair, though, the cyberattack is now a criminal investigation, which might preclude the release of specific details about that investigation. Nonetheless, the SSMPS is a public organization.
There’s a big difference between withholding information in the interest of not compromising an ongoing investigation and withholding information simply because you can.
Since so few details have been released, the public is left completely in the dark regarding the severity of the attack and whether or not peoples’ personal information is potentially at stake. At the very least, the public ought to know the degree to which the SSMPS’s public functions will be hindered, including the loss of data collected in line with applicable legislation and the prosecution of criminal cases.
Hopefully, more details will be released sooner than later. But if we don’t ask, they won’t tell us.
In the meantime, update those passwords, everyone.
PS: Since launching this newsletter a few weeks ago, the response has been enormous and heartwarming. Some of you have responded with generous financial contributions, while others have reached out directly with story ideas and words of kindness and support. I’m immensely grateful for all of this and it’s a great reminder that people in Sault Ste. Marie (and elsewhere) are keen to see more local research and writing focused on the public interest. The newsletter will continue with another standalone story soon – a federal election postmortem – and then launch a longer series about the legacy of industrial pollution in Sault Ste. Marie. Stay tuned and thanks very much for your support.