Stealing Customer and Client Data
Cyber threat actors have both the intent and capability to acquire sensitive information as demonstrated by numerous high-profile data breaches targeting the data of millions of customers around the world. Large databases containing personal information such as names, addresses, phone numbers, financial details, and employment information are valuable to cyber threat actors. The aggregation of data collected from multiple breaches can provide cyber threat actors the ability to build comprehensive profiles to conduct cyber threat activity against specific groups or individuals.
We assess that in 2019 large databases will almost certainly remain attractive targets for cyber threat actors seeking to sell information or support state-sponsored espionage.
Cyber threat actors also attempt to extort businesses by threatening to reveal confidential client information. Some businesses decide that paying a ransom is cheaper than the costs associated with ignoring a cyber ransom. Yet, cyber threat actors can decide to delete, modify, or release information, even if a payment is made. Robust cyber security and business continuity practices are required to protect valued data.
In January 2017, the Royal Canadian Mounted Police (RCMP) took down a website hosting 3 billion personal records collected from major global data breaches. Although the RCMP located the servers hosting personal content in Canada, users from around the world could access the information for a small fee. In December 2017, the RCMP charged an individual alleged to have trafficked identity information.Endnote11
This case is a revealing example of how cybercriminals profit by using personal information stolen from data breaches. While cybercriminals exploit the transnational nature of the Internet, operations such as Project Adoration, which involved cooperation between the RCMP, the Dutch National Police, and the United States Federal Bureau of Investigation, demonstrate that law enforcement is advancing systems and methods to tackle cybercrime. This case highlights the importance of international partnerships to investigate and prosecute cybercriminals.
Extortion by Customer Data
In May 2018, cybercriminals contacted two Canadian banks, claiming to have accessed the personal information of tens of thousands of clients. The cybercriminals threatened to release the information unless the banks paid them $1 million ransom. Both banks refused to pay, offered clients free credit monitoring, and pledged to cover any money lost from affected bank accounts due to fraud.Endnote12
This case shows that a business’s commitment to maintaining client confidentiality can be exploited in an attempt to extract payment. A similar operation against a business with fewer resources could inflict devastating damage by extorting funds that disable operations or releasing information and damaging its reputation.
Canadian businesses, especially those active in strategic sectors of the economy, are subject to cyber espionage aimed at stealing intellectual property and other commercially sensitive information. Cyber threat actors target commercial information so they can copy existing products, undercut competition, or gain an advantage in business negotiations. Generally, commercial espionage requires advanced capabilities and a persistent approach.
We have observed some adversarial nation-states advance their defence and technology sectors by conducting cyber commercial espionage around the world, including in Canada. This cyber threat activity can harm Canada’s competitive business advantage and undermine our strategic position in global markets.
We assess that the threat of cyber espionage is higher for Canadian businesses when they operate abroad. Many countries have the legal and technological framework that enables their domestic police or security forces to covertly access data when it transits or resides in their country. Canadian businesses operating abroad should remain mindful of local laws, regulations, and business practices, and the threats these may present to their proprietary information, personal data, or intellectual property.
Figure 7: Supply Chain ProcessEndnote13
Figure 7 - Description
Cyber threat actors can exploit the supply chain at various stages such as the design stage for poor quality design practices, the production stage by tampering product, the delivery and deployment stage with weak cyber security practices, the operational stage by exploiting vulnerabilities, and the maintenance stage via a service provider.