Cyber Incident Victim: Nunatsiavut Government
Date:
Jul 2023
Location:
Canada
Summary
The Nunatsiavut Government experienced a significant privacy breach after its contracted data management company, Advanced Data Systems, was hacked. The incident compromised the personal and health information of approximately 7,500 individuals, including sensitive data like social insurance numbers and detailed medical and educational records. Negotiations with the hackers occurred, but the government cannot confirm if the stolen data was actually deleted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 24, 2023, the Nunatsiavut Government learned from its contracted service provider, Advanced Data Systems Ltd. (ADS), that a security incident had occurred. ADS, which is responsible for developing and maintaining databases of Nunatsiavut Government information, reported that an unauthorized actor had successfully hacked into its networks. Upon discovery, both ADS and the Nunatsiavut Government immediately launched a joint investigation to determine the scope and impact of the intrusion. The investigation concluded that the hacker had potentially accessed the sensitive personal and health information of upwards of 7,500 individuals. This population largely constitutes the entire Nunatsiavut membership base, making the breach a significant event affecting a substantial portion of the autonomous Inuit government's constituents.
The range and sensitivity of the information stored on the compromised ADS networks were extensive. The hacker gained access to names, addresses, phone numbers, and dates of birth for the vast majority of the Nunatsiavut membership. Beyond this basic personally identifiable information, the breach exposed highly sensitive health and financial data. This included provincial medical care plan (MCP) numbers and in-depth details pertaining to medical travel for individuals who receive assistance with health costs not covered by the provincial plan. Furthermore, detailed records on beneficiaries who received post-secondary education assistance were exfiltrated. These educational records contained particularly sensitive information, including individuals' income levels, the names and dates of birth of their family members, student identification numbers, comprehensive living and education expenses, and any mental health or medical issues that were documented as affecting their schooling. A specific subset of 39 social insurance numbers was also among the data accessed during the incident.
A notable aspect of this cyber incident was the subsequent interaction between the service provider and the threat actor. According to information provided by ADS to the Nunatsiavut Government, the company engaged in negotiations with the hacker following the breach. These negotiations, which took place at some point after the discovery of the incident, reportedly resulted in an agreement for the deletion of all the data that had been accessed. The Nunatsiavut Government was advised of this development by ADS in August 2023. However, the government has explicitly stated that it cannot be sure the hacker actually fulfilled the promise to delete the data. This uncertainty stems from the inherent lack of verifiability in such agreements with malicious actors, leading the government to proceed with a public notification out of an abundance of caution.
The public notice was issued to inform all affected individuals of the potential risk to their privacy. The Nunatsiavut Government committed to contacting people directly if their social insurance numbers were among those specifically compromised. For the broader membership, the public notice served as the primary method of communication regarding the exposure of their other types of personal data. In its communications, the government stated that there was no indication the material involved in the breach had been actively used by the hackers at the time of the announcement. This, however, does not eliminate the potential for future misuse of the information, which is a primary concern driving the disclosure. Both the Nunatsiavut Government and Advanced Data Systems have stated they are taking steps to prevent a similar incident from occurring in the future. They are jointly working to enhance security measures and ensure that such sensitive information is better protected moving forward, though the specific technical or organizational controls being implemented were not detailed in the public release.
The incident underscores the significant risks associated with third-party vendor relationships, particularly when those vendors are entrusted with vast amounts of highly sensitive personal and health information. The compromise did not occur on the Nunatsiavut Government's own infrastructure but rather on the networks of its contracted service provider, ADS. This transfer of risk to a third party highlights a critical vulnerability in modern data management practices, where the security posture of a business partner becomes inextricably linked to the privacy of the primary organization's constituents. The depth of the information exposed, especially details concerning medical conditions and mental health issues linked to educational pursuits, presents unique risks of discrimination, identity theft, and personal embarrassment for the affected individuals.
The response timeline indicates that the breach was discovered on July 24, with the investigation confirming the scope of potential access shortly thereafter. The negotiation process between ADS and the hacker then occurred, culminating in the advice given to the Nunatsiavut Government in August. The public disclosure followed after this period of investigation and negotiation. The nature of the attack, whether it was a ransomware incident where data was encrypted and a ransom demanded for decryption, or a pure data theft extortion where a ransom was demanded in exchange for not releasing the data, is not explicitly detailed. The reference to negotiations, however, strongly suggests a financial motive behind the attack. It remains unclear from the provided information if a ransom payment was ultimately made by ADS as part of its negotiations with the threat actor.
For the Nunatsiavut Government, the breach represents a serious challenge to its duty of care towards its members. The exposed data is not merely transactional; it encompasses deeply personal information related to healthcare and educational support, which are core functions of the government's service to its people. The potential misuse of this information could have real-world consequences for individuals, ranging from financial fraud to targeted scams that leverage knowledge of medical conditions or educational history. The government's decision to issue a broad public notice, despite the negotiations for deletion, reflects a principled approach to transparency and a recognition of the ongoing risk posed by the mere existence of copies of such data in unknown hands.
In the aftermath of the incident, the focus for both the Nunatsiavut Government and Advanced Data Systems is on remediation and strengthening defenses. The public commitment to doing everything possible to stop a recurrence indicates an acknowledgment of the severity of the breach. The work to ensure information is better protected in the future will likely involve a thorough review of the security protocols, access controls, and data handling practices employed by ADS, as well as a re-evaluation of the contractual and oversight mechanisms the Nunatsiavut Government has in place for its vendors. The incident serves as a stark reminder of the persistent and evolving threats faced by organizations that manage sensitive data, and the critical importance of robust cybersecurity measures throughout an entire supply chain.