Cyber Incident Victim: Yellow Pages Canada
Date:
Mar 2023
Location:
Canada
Summary
Yellow Pages Canada confirmed a cyber attack by the Black Basta ransomware group, which leaked stolen sensitive data including employee and customer personal information. The compromised data contained ID documents such as passports and driver's licenses, tax records with Social Insurance Numbers, financial spreadsheets, and corporate agreements. Following the breach, the Canadian directory publisher engaged external cybersecurity experts to investigate, secure systems, and restore services while notifying affected individuals and regulatory bodies. The ransomware group previously targeted other organizations, including UK-based Capita and Canadian retailer Sobeys, showcasing a pattern of high-profile attacks involving data theft and extortion demands.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Yellow Pages Canada, a prominent Canadian directory publisher operating YP.ca, YellowPages.ca, and Canada411, confirmed a cyber attack in March 2023 after the Black Basta ransomware group leaked sensitive data on its extortion portal. The incident was first identified when threat intelligence analyst Dominic Alvieri observed Black Basta posting samples of stolen Yellow Pages data publicly in April 2023. Based on dates within the leaked documents, which included materials as recent as February and December 2022, the compromise likely occurred on or after March 15, 2023. Black Basta claimed responsibility for the attack and published a range of sensitive data, including employee and customer personal information such as passport and driver's license scans with birthdates and addresses, tax documents revealing Social Insurance Numbers (SINs), sales agreements, an Accounts Receivable spreadsheet dated February 28, 2023, and a budget forecast from December 2022. This breach exposed highly sensitive identifiers, particularly SINs, which carry significant privacy and identity theft risks in Canada. The attack followed Black Basta's pattern of high-profile targets, including recent attacks on UK outsourcing firm Capita and Canadian retailer Sobeys, where point-of-sale systems were disrupted in 2022. Cybersecurity analysts have noted similarities in Black Basta's negotiation tactics to the Conti ransomware group, suggesting a potential rebranding link.
Upon discovering the attack, Yellow Pages immediately engaged external cybersecurity experts to investigate, contain the intrusion, and secure affected systems. Senior Vice President and CFO Franco Sciannamblo confirmed in a statement that unauthorized actors had accessed servers containing employee data and limited business customer information. The company restored substantially all services following containment efforts and initiated notifications to impacted individuals. Yellow Pages also reported the breach to relevant privacy regulatory authorities in compliance with legal obligations. Black Basta's leak site continued to host stolen data samples, indicating data theft occurred prior to deployment of ransomware encryption or other disruptive actions. The group had threatened to sell stolen Yellow Pages data if ransom demands were unmet, mirroring tactics used in prior attacks like the Capita breach earlier in April 2023. No further operational disruptions to Yellow Pages' directory services were reported beyond the initial compromise, though the exposure of sensitive personal and financial documents presented clear risks of secondary fraud and identity-related crimes for affected individuals.