Confidential information about at least 270 local businesses ends up on the hidden web following a hack that affected Investissement Québec (IQ) in early February.
• Also read: More than 1,000 Investissement Québec employees affected by data breach
However, the state body did not see fit to notify the companies concerned, so several of them learned that the incident affected them when Le Journal contacted them this week.
At least 120 internal IQ documents have been published on the hidden web by the Clop hacker gang in recent weeks. About 60 of them were not encrypted or password protected, which is against good cybersecurity practices.
“The exfiltrated information was already of public order or very summary and general and destined for a customer satisfaction survey. The files did not contain any personal customer information. As such, we have not notified clients,” said Investissement Québec spokeswoman Isabelle Fontaine.
- Listen to Francis Gosselin’s live editorial broadcast every day at 3:00 p.m. 53 over QUB radio :
sensitive information
However, the documents, which mainly date from last year, contain the following confidential information in particular:
- Emails and mobile numbers of employees of IQ client companies
- The approximate turnover of some of these companies
- A brief summary of the projects for which companies have requested IQ support.
We learn that an SME is planning to build a new plant in Saguenay-Lac-Saint-Jean, that a computer company wants to count ExxonMobil among its customers, that a multinational corporation is carrying out extensive tests on vehicles and leisure facilities, and that a Montreal construction company is planning a ” strategic partnership” in Brazil.
The Journal chose not to name the companies affected by the leak to avoid increasing the risk that they suffer negative consequences.
“The documents still contain financial information,” notes Terry Cutler of cybersecurity firm Cyology Labs, which advised one of the companies involved in the IQ document exfiltration.
“Transparency is essential,” adds Jacques Sauvé of Trilogiam. That doesn’t mean we’re yelling that in the media, but we have to at least warn [ses partenaires d’affaires].”
The goal, he adds, “is to make potential victims more alert to the risk of identity theft and other issues.”
New Bonds
Bill 25, which went into effect last fall, requires companies to “notify affected individuals of any incident that poses a serious risk of harm.”
“We are aware of our obligations under Bill 25 and believe we have complied with them,” Ms Fontaine said.
The heads of the affected companies, who Le Journal was able to speak to, said they were relieved the stolen information was not too compromising.
The Desjardins Group affected by the incident also had a similar reaction. “We have found no evidence that could pose a security issue for Desjardins,” said a spokeswoman, Chantal Corbeil.
Nathalie St-Pierre, spokeswoman for Minister for Cybersecurity and Digital Affairs Éric Caire, could not say yesterday whether IQ had informed the government about the incident, which also affected hundreds of employees and ex-employees of the state-owned company. However, we know that IQ informed the Commission d’accès à l’information.
The cyber attack suffered by IQ was directed against the file sharing system GoAnywhere from the American company Fortra. It affected at least 130 organizations around the world.
– With Philippe Langlois, detective agency and Valérie Lesage
Do you have any information about this story that you would like to share with us?
Do you have a scoop that might be of interest to our readers?
Write to us or call us directly at 1-800-63SCOOP.