Aurora Cannabis said it suffered a “cybersecurity incident” on Christmas Day. (GETTY)
Aurora Cannabis (ACB.TO) (ACB) consults with security experts and authorities while a hacker solicits online bids for data allegedly owned by the Canadian pot company. The data appears to include copies of passports, driver’s licenses, credit card information, and other business documents.
A post from January 7th on an online marketplace for hacked databases advertises “All data from Aurora Cannabis” for sale and offers 11 sample images as “Proof of Concept”. Below the pictures are a passport that appears to belong to Darryl Vleeming, Aurora’s chief information officer, and an Alberta driver’s license that appears to belong to Amy Lamoureux, a supply chain manager at the company.
Edmonton-based Aurora said it had a “cybersecurity incident” on Christmas Day. The company said at the time that no patient data was compromised and that Aurora’s operating network was not affected. Aurora sells medical cannabis directly to nearly 100,000 Canadian patients. The company employs around 1,800 people in Canada and Europe.
On Monday, spokeswoman Michelle Lefler declined to answer questions from Yahoo Finance Canada about what data was breached or whether the company was contacted by parties who claimed they were in possession of their data.
“On December 25, 2020, Aurora was exposed to a cybersecurity incident. The company immediately took action to mitigate the incident, is actively consulting with security experts and is working with authorities. Aurora’s patient systems have not been compromised and the company’s operating network will remain unaffected, ”she wrote in a statement sent via email. “Our priority is to make sure our business stays up and running and can serve our patients and customers.”
The post that allegedly lists online sales, which was first flagged by an information security blog, doesn’t list a specific price for the treasure trove of information. However, Bleeping Computer website claims the hacker behind the attack was priced at one bitcoin (BTC-CAD). The volatile cryptocurrency was valued at $ 41,812.43 per Canadian dollar at 1:23 p.m. CET on Monday.
The story goes on
In an interview with Bleeping Computer, the hacker said he had 50 GB of stolen data and still had access to Aurora’s network.
The Marihuana Business Daily reported Jan. 4 that the victims of the Christmas Day data breach include an unknown number of current and former Aurora employees. The cannabis industry news source said an email the company sent to Aurora employees cited a “cybersecurity incident where unauthorized persons accessed data in (Microsoft cloud software) SharePoint and OneDrive”.
The Alberta Information and Privacy Commissioner’s office confirmed Monday that Aurora had reported the incident, as required by the provincial Personal Data Protection Act.
The Canadian data protection commissioner’s office said it was informed of the breach on December 31st.
“We have communicated with the organization to gather more information and determine our next steps,” wrote senior communications advisor Vito Pilieci in an email.
Aurora isn’t the first Canadian cannabis producer to be attacked by hackers. Last November, Quebec-based Neptune Wellness Solutions (NEPT.TO) announced that it had spent nearly $ 2 million in July due to a “cybersecurity incident”. The costs included “an amount paid to the threat actor in return for the destruction of the data” plus legal and investigation fees and other costs.
According to IBM’s “Cost of Data Breach Report 2020”, the average cost of data breach in Canada has increased 6.7 percent since 2019, reaching $ 6.35 million last year.
Jeff Lagerquist is a Senior Reporter at Yahoo Finance Canada. Follow him on Twitter @jefflagerquist.
Download the Yahoo Finance app, available for Apple and Android.