Threat Essentials Blog

6-month comms delay costs Canada Post a third-party data breach

Why do organisations wait to communicate something as critical as a data breach? Shouldn't organisations be the first to know if there is trouble in the supply chain? But what if they simply don't have the third-party cyber risk information?

On reading about the Canada Post third-party breach, Threat Essentials took it to its intelligence platform for more information. In under a minute, the team was able to verify that a recently reported Canada Post's third-party breach had actually taken place back in December - almost six months before the announcement.

The need for third-party cyber risk management

Whether Canada Post was simply unaware of the breach because it lacked the necessary third party threat intelligence - or its communication response strategy was lacking is unknown. The fact is that organisations today urgently need intel-lead third-party cyber risk management strategies and tools to see the systemic risks in their supply chain.

The exposure on the dark web of data belonging to Canada Post, stolen through the compromise of a third party, shows that the need for third-party cyber risk management or supply chain TPRM - is fast becoming critical. An initial breach of the third party, Commport Communications, reportedly occurred in late 2020; Canada Post took six months to reveal that its data had been stolen and leaked.

There is no indication that the data was publicly available at any point before the Lorenz leak blog emerged in early May 2021. However, the large gap between the initial compromise and the announcement by Canada Post almost half a year later, presents a large window where the extent of the compromise - and therefore the risk - was unknown.

Data siphoned from a partner 

Between July 2016 and March 2019, the criminal group published internal files with the names and addresses of 950,000 customers from 44 companies extracted from shipping labels. These had been siphoned from a partner's computer system and exfiltrated, most likely before they were hit with ransomware.

About Lorenz ransomware group

The Lorenz ransomware group is a relatively new name for an operation that has run under several different names since mid-2017. Starting with ThunderCrypt, it evolved to become known as sz40 - in reference to the file extension applied to its encrypted files. Most recently, the group goes by the name Lorenz.

Tactics, Techniques and Procedures (TTPs)

The group follows the familiar pattern of gaining access to a network and performing lateral movement across the victim's network until it gains control of the Domain Controllers, the main set of servers within a Windows network that manages logins, user identities and file shares. This gives the attackers the opportunity to discover sensitive internal files and stage them for uploading to a cloud storage account owned by the malicious group. Once complete, they will also deploy ransomware to add extra pressure on the victim organisation and open up for negotiations.

Threat Essentials' Third-Party Cyber Risk Management solution leverages a powerful threat intelligence platform detecting third-party compromises as they appear. This allows decision-makers to perform due diligence with potential vendors and enact data protection policies before it is too late.

 

Timeline of Canada Post's third-party data breach

Event Date Source
Data uploaded to Lorenz ransom site December 20, 2020 Lorenz  ransom site

Leak blog first discussed on XSS

May 4, 2021 XSS Forum

Data shared in thread on RaidForums

May 15, 2021 RaidForums

Canada Post announcement

May 26, 2021

Canada Post

Bleepingcomputer.com

 

To find out how you can protect your organisation from cyber vulnerabilities in the supply chain, get in touch with Threat Essentials.