Hackers target Craftsman Collision with ransomware attack
VANCOUVER -- Hackers managed to infiltrate a major B.C. auto repair company last month, and experts warn the cyberattack is part of a much bigger problem.
The data breach, which was first uncovered by Bob Mackin and TheBreaker.news, targeted North Vancouver-based Craftsman Collision on Nov. 29.
President Rick Hatswell said the hackers used ransomware to seize the Craftsman Collision domain name, and were briefly able to send phishing emails to customers that looked like they came from the company.
But Hatswell said Craftsman updated its servers with new security measures earlier this year, and that staff detected the breach and responded swiftly.
"We were able to grab onto the attack right away, within a very short time we had the servers shut down completely," he said. "Unfortunately, that means our company has been shut down for the last couple of weeks."
The president said there's no evidence any customer data was compromised, and the company doesn't keep any personal information apart from names, phone numbers and addresses. All financial information is handled through ICBC.
"There is no information of that type or passwords or anything like that," he said.
Craftsman hired a third-party to conduct a full forensic investigation into what happened, and Hatswell said the company is planning to alert customers about the breach once the findings are ready, likely in another two or three weeks.
But cybersecurity expert Roger Gale argues companies need to do more. Gale, an instructor from BCIT's Industrial Network Cybersecurity program, said businesses should be compelled to disclose hacking incidents by law.
"Data breaches of all types should be reported," Gale told CTV News. "Of course many organizations, companies will not want to report a data breach. It hits their public perception, it hits their bottom line."
Last year, the federal government introduced mandatory reporting rules for data breaches through the Personal Information Protection and Electronic Documents Act. Under PIPEDA, private sector companies that fail to report serious data breaches can face fines of $100,000.
But the rules don't apply to companies that only operate in B.C., Alberta and Quebec. And while the NDP promised to implement a provincial policy on data breach notifications during the 2017 election, it still hasn't delivered.
CTV News reached out to Attorney General David Eby's office for comment on Friday afternoon. A spokesperson said the office would be providing a written statement.
B.C.'s Information and Privacy Commissioner Michael McEnvoy told TheBreaker.news his office encourages private companies to voluntarily report security breaches through its website, though it's not mandatory.
Without a reporting law in place, Craftsman Collision told CTV News the company has been doing its best to respond to the breach. Hatswell said he called the RCMP personally to report the hack, but was told it wasn't a police matter because no apparent fraud had occurred.
"They gave me the number for some fraud department or something in Ontario," Hatswell said. "They had a long voice mail, something about fraud and what's reportable and what's not. It didn't seem like they needed to know or wanted to know."
The company also informed ICBC, which told CTV News its customer data was not compromised.
With the Craftsman servers shut down as a precaution, Hatswell estimated the company has lost hundreds of thousands of dollars in potential revenue as it waits for the results of its third-party investigation.