[ad_1]
On Monday, the Saskatchewan Liquor and Gaming Authority (SLGA) emailed some of its business partners, alerting them their credit card data may have been stolen during a Christmas Day hack of the organization’s computer systems.
Mark Heise, who runs Regina’s Rebellion Brewing Company, is one of those who received that email. He said the three-and-a-half month delay in notification points to the organization’s “lack of urgency” and “lack of concern” about the breach.
He said it’s not just the hack of the credit card data that alarms him.
“It’s any information. There’s trade secret information… There’s sales data,” he said. “All of that stuff is valuable to your competitors or whomever.
“We were not advised of that by our own government. That’s pretty concerning to me.”
Last week, CBC reported that the hackers had provided a series of what appeared to be confidential SLGA documents. Among those records was credit card information belonging to some SLGA suppliers.
In an SLGA email provided to CBC, the Crown corporation wrote that following CBC’s report, “SLGA immediately launched a further investigation. It determined credit card information belonging to some retail store permittees and craft suppliers was stored on SLGA’s network.”
“As a result, your credit card information may have been accessed or taken.”
Heise, who is also president of the Saskatchewan Craft Brewers Association, said that while he’s received great service from many SLGA employees, the delay in notification is unacceptable.
“I don’t think that that would fit the criteria of an acceptable timeline by anyone’s definition,” he said.
Some were warned, others weren’t
About three weeks after the hack, SLGA warned its employees that their personal data may have been stolen. The organization offered them credit monitoring services.
But at that time, it didn’t warn any of its business partners, suppliers, vendors or licensees.
Then on March 22, three months after the hack, SLGA posted an “indirect notification” on its website that a wide range of data belonging to gaming, liquor and marijuana permittees may have been stolen by the hackers. SLGA said that may include medical, criminal, financial and personal data.
But in the Monday email to its business partners, SLGA said it wasn’t until an investigation, prompted by CBC’s report, that the organization discovered credit card data was at risk.
“At the time of the indirect notification on March 22, SLGA did not know the extent of what may have been accessed by the hackers and further believed that credit card information was not stored on its systems,” said the email from Greg Gettle, VP of SLGA’s liquor, wholesale and distribution division. “I would like to apologize for any concern this incident has caused.”
IT security ‘at the bottom of the list’
Heise used to work in information technology (IT) with the government of Saskatchewan for about a decade. Part of his work was to develop IT security policies and procedures. He said the claim that SLGA didn’t know it was storing credit card data in its computer systems is puzzling.
“I do have a hard time believing that,” said Heise.
He said if that’s true, it doesn’t speak well of SLGA’s information management systems.
“If that is truly the case… it exposes that there are major challenges with their understanding of their systems and their duty to store and protect data,” said Heise.
Heise said during his time in government, he remembers the frustration of working with antiquated systems that had been underfunded for decades.
“IT always comes in at the bottom of the list when it comes to funding,” he said. “It means events like this are going to happen. Are going to be very costly. They’re very dangerous. And they’re going to be happening more and more.”
When asked how he and his colleagues are evaluating the Saskatchewan government’s handling of this breach, his response was stark.
“It maybe sounds horrible, but people just kind of expect it,” he said. “We probably should be outraged but we’re almost, ‘This is kind of par for the course.'”
CBC asked SLGA for comment, but it hasn’t replied.
[ad_2]
Source link