REGINA — The province is reporting further details regarding a cyber attack on SLGA in December of 2021.
In a news release, it was reported that as part of the initial investigation, SLGA's cybersecurity experts determined the criminals who attacked SLGA's IT systems accessed some data associated with SLGA employees, including information typically collected by employers such as names, banking information and social insurance numbers.
After consulting with the Office of the Privacy Commissioner, SLGA advised current and former employees that their personal information may have been accessed by the criminals behind the cyber incident and suggested steps employees could take to help ensure the security of their personal information. SLGA also offered credit monitoring for a two-year period.
As the investigation went on, cyber experts working with SLGA discovered some personal information relating to SLGA's regulatory clients may also have been accessed. These regulatory clients include individuals who provided SLGA with personal information to obtain commercial liquor permits, cannabis permits or registrations, gaming registrations or horse racing licenses. In consultation with the Office of the Privacy Commissioner, SLGA indirectly notified these clients.
SLGA is now directly notifying regulatory clients who provided SLGA with sensitive personal information within the past five years. This information may include place and date of birth, driver's licence, height, weight, eye colour, employment history, criminal record history and financial disclosures gathered as part of the licensing/permit process for commercial liquor permits, cannabis permits and gaming/horse racing registrants. This step is being taken after cyber experts found evidence that some of this information was disclosed on the dark web. Letters have been sent to this client group with further information and an offer of credit monitoring for two years.
Alongside this, SLGA is also undertaking an indirect notification process aimed at: regulatory clients who provided SLGA with sensitive personal information more than five years ago and regulatory clients such as special occasion permittees and charitable gaming licensees, who provided SLGA with less sensitive personal information. They want to make them aware that cyber experts found evidence of the unauthorized disclosure of some of this information on the dark web.
SLGA has also engaged third party experts to conduct an audit of SLGA's cyber security systems, policies, and procedures as well policies related to document protection and retention. These are expected to be completed in the coming months.
The investigation is ongoing, and SLGA will continue to work with cyber experts and advisors and be in regular contact with law enforcement and the Office of the Privacy Commissioner.