The breach of 70,000 Canadian credit and debit cards shouldn’t be a surprise, Daniel Tobok, CEO of Cytelligence Inc. “There’s probably 400,000 at minimum different cards on the dark web that are from Canadian sources,” he said. Some Canadian organizations like to think they’re safer from cyber attack because of the relatively few publicly-reported data breaches here. It’s true there are fewer breaches reported in this country. And international figures show reported malware attacks here are lower than in the U.S. But that doesn’t mean they don’t happen. It’s just that they don’t get reported.For example, at this week’s SecTor security conference in Toronto a Telus Security Solutions consultant said early this year a batch of over 70,000 Canadian credit card numbers popped up for sale on the darknet. So far no organization has announced a theft.
Milind Bhargava made the revelation as part of a presentation he and another Telus security investigator did on how much personal information on Canadians was available on the darknet. His division regularly monitors credit card sales sites for corporate customers, he said. It’s not hard to identify Canadian credit and debit cards – the first six digits of every card identifies the bank and type of card.In the early months of this year “suddenly we saw 70,000-plus cards from the same province,” he said. “Multiple banks, but all from the same province. We have never seen so many from the same province.” He wouldn’t identify the province.The card data, with expiry dates ranging from this year to 2020, were being sold for between forty cents and $3 each.There was “nothing to tell us from where it happened,” Bhargava said in an interview. The assumption is the data was collected over a year. Because the cards came from all parts of Canada and many financial institutions the theft might have been from a hotel or an organization hosting an event that draws widely, like a large fair or sport contest.The breach of 70,000 Canadian cards shouldn’t be a surprise, Daniel Tobok, CEO of Cytelligence Inc., a Toronto-based digital security consulting firm and former managing director of Telus’ forensics and security consulting division, said in an interview.”There’s probably 400,000 at minimum different cards on the dark web that are from Canadian sources,” he said.Asked if Canadian organizations underestimate the amount of data theft, he replied, “Absolutely… we get lots of crime over here” — and it’s not just credit cards.
Thieves are after T4 income tax information, social security numbers, personal data from human resource department databases.In fact this month his firm investigated the theft of close 18,000 records – including T4s and credit cards — from a Canadian organization he wouldn’t name.The organization had been the victim of a year-long sophisticated phishing scam against executives, including spoofing the email of a person on vacation, to install malware and penetrate defences.The last time the organization had an outside firm do a security audit was two and a half years ago, he said, which is close to being negligent.”You’ve got to do a better job of protecting your infrastructure,” he says to private and public organizations. “You have to be diligent.”In their presentation, Bhargava and Telus consultant Peter Desfigies described the amount of personal Canadian data on sale on the dark Web – some of which couldn’t be verified as legitimate. But, the said there are Canadian Interac accounts available for $5 to $10 each that include username, password, PIN code, secret questions and answers; “I have seen almost every major bank in Canada on this list,” Bhargava said.One site claims to have a Canadian government database with people’s names, SIN, address, birthday and valid email address, although he said the authenticity couldn’t be verified.But criminals are able to put pieces of data together. Twice this year Bhargava has been phoned by a person who claims to be from the Canadian government threatening him with deportation for an alleged immigration document violation unless he wires money to an account. The caller has his correct name, date of birth, email address and other personal information, he said.