Cyber Incident Victim: Family and Children's Services of Lanark, Leeds and Grenville
Date:
Jan 2018
Location:
Canada
Summary
A ransomware attack targeted a children's services agency, demanding $60,000 to unlock encrypted servers during its transition to a new provincial database system. The organization refused payment, restored operations within eight hours using offline backups, and incurred $100,000 in recovery costs covered by cyber insurance. Provincial cybersecurity experts and private contractors neutralized the malware over three weeks, though no data exfiltration occurred. The incident prompted enhanced security protocols for interagency data transfers to the centralized system, which remained uncompromised. A separate regional agency paid $5,000 ransom in a similar attack, leading to province-wide cybersecurity reinforcement across child protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2017, Family and Children’s Services of Lanark, Leeds and Grenville experienced a ransomware attack when staff attempting to access their database encountered an English-language ransom message demanding $60,000. The malware encrypted most of the agency's local servers, rendering sensitive client data inaccessible. Executive Director Raymond Lemay confirmed no data exfiltration occurred, characterizing the incident as a ransom attempt rather than a data breach. The agency refused payment and initiated recovery procedures using offline backups, restoring critical systems within approximately eight hours. During the attack, the organization had been actively uploading data to CPIN (Child Protection Information Network), Ontario’s new $123-million centralized database for children in care. Lemay suggested the transition to CPIN might have created system vulnerabilities exploited by attackers, though this remained unconfirmed. Provincial cybersecurity experts from the Ministry of Children and Youth Services collaborated with a private internet security firm to neutralize the malware, a process requiring three weeks to identify and eliminate the malicious code from infected systems.
The incident disrupted access to local files containing private information on children and families under the agency’s care, though provincial CPIN data remained uncompromised. Recovery costs totaled $100,000, covered by the agency’s cyber insurance policy. In response, the ministry enhanced security protocols governing data transfers from local agencies to CPIN to prevent similar breaches. The attack occurred as approximately half of Ontario’s 47 children’s aid societies were migrating to CPIN, with full provincial implementation scheduled for 2020. Ministry officials and the Ontario Association of Children’s Aid Societies subsequently reinforced cybersecurity best practices across all member agencies. Forensic analysis did not establish whether the agency was specifically targeted or victimized by opportunistic malware. The incident highlighted operational risks during technological transitions while demonstrating the effectiveness of offline backups in mitigating ransomware impacts without capitulating to extortion demands.