On Monday, the Saskatchewan Liquor and Gaming Authority (SLGA) sent an email to some of its business partners, alerting them that their credit card data may have been stolen in a hack of the organization’s computer systems on the day of Christmas.
Mark Heise, who runs the Rebellion Brewing Company in Regina, is one of those who received this email. He said the three-and-a-half-month delay in notification indicates the organization’s “lack of urgency” and “lack of concern” about the breach.
He said it’s not just the hacking of credit card data that alarms him.
“It’s any information. There’s trade secrets… There’s sales data,” he said. “All of this is valuable to your competitors or whoever.
“We weren’t made aware of this by our own government. It’s quite concerning to me.”
Last week, CBC reported that the hackers had provided a series of what appeared to be confidential SLGA documents. Among these records was credit card information belonging to certain SLGA suppliers.
In an email from SLGA provided to CBC, the state corporation wrote that following the CBC report, “SLGA immediately launched a further investigation. It determined that the credit card information belonging to to certain retail store dealers and craft suppliers were stored on the SLGA network”.
“As a result, your credit card information may have been accessed or taken.”
Heise, who is also president of the Saskatchewan Craft Brewers Association, said that while he has received excellent service from many SLGA employees, the delay in notification is unacceptable.
“I don’t think that would meet the criteria of an acceptable schedule by anyone’s definition,” he said.
Some have been warned, some have not.
About three weeks after the hack, SLGA warned its employees that their personal data may have been stolen. The organization offered them credit monitoring services.
But at that time, it did not notify any of its business partners, suppliers, vendors or licensees.
Then, on March 22, three months after the hack, the SLGA published an “indirect notification” on its website stating that a wide range of data belonging to gambling, alcohol and marijuana license holders could have been stolen by pirates. SLGA said this could include medical, criminal, financial and personal data.
But in Monday’s email to business partners, SLGA said it was only during an investigation, prompted by the CBC report, that the organization discovered that credit card data were in danger.
“At the time of the March 22 indirect notification, SLGA did not know the extent of what the hackers could have accessed and further believed that credit card information was not stored on its systems,” said said the email from Greg Gettle, Vice President. of SLGA’s liquor, wholesale and distribution division. “I would like to apologize for any concern this incident has caused.”
Computer security ‘bottom of the list’
Heise has worked in the information technology (IT) field with the Government of Saskatchewan for approximately a decade. Part of his job was to develop IT security policies and procedures. He said the claim that the SLGA was unaware that it was storing credit card data in its computer systems is baffling.
“I find it hard to believe,” Heise said.
He said that if that’s true, it doesn’t speak well of SLGA’s information management systems.
“If that’s really the case…it reveals that there are major challenges with their understanding of their systems and their duty to store and protect data,” Heise said.
Heise said that during his time in government, he remembered the frustration of working with outdated systems that had been underfunded for decades.
“Computing always comes bottom of the list when it comes to funding,” he said. “That means things like this are going to happen. They’re going to be very expensive. They’re very dangerous. And they’re going to happen more and more.”
When asked how he and his colleagues rated the Saskatchewan government’s handling of this breach, his response was blunt.
“It may sound awful, but people expect it,” he said. “We should probably be outraged, but we’re almost, ‘That’s kinda par for the course.'”
CBC asked SLGA for comment, but it did not respond.