A threat actor who breached the network of Canada-based Aurora Cannabis over Christmas is looking to cash in after posting a database of stolen information online. The attacker claims to have stolen 50GB of personal identifiable information (PHI) of Aurora Cannabis customers and employees, including photos of passports, checks, driver licenses and business documents.
In an email sent to Canadian press outlets, Aurora Cannabis said it took immediate action to mitigate the attack, and consulted with third-party security experts to assess the damages.
“The company took immediate steps to alleviate the incident, consulted security experts actively and cooperated with the authorities,” spokeswoman Michelle Lefler said.
The cannabis cultivator did not say what kind of information was accessed how many employees were affected. However, Lefler emphasized that the systems housing patient information and business operations were not impacted in the breach.
“Not affected are the patient systems of Aurora and the network of operations of the company,” Lefler added. “I can confirm that we have been following all security protocols, working with privacy and law enforcement councils and have contacted any affected current or former employees directly.”
Contrary to Aurora’s remarks, the cybercriminals claims he contacted the company demanding a ransom for not releasing the information. In an interview with BleepingComputer, the hacker stated that he still has access to the network, reporting, “I sent mail but i think all employs ignored me.”
According to comments by a former Aurora employee, the victim received a data breach notification email from the company, explaining that “unauthorized parties accessed data in (Microsoft cloud software) SharePoint and OneDrive” on December 25.
The ex-employee also said he managed to get in touch with around eight Aurora workers to check if they received the same notification. However, they all reported different types of compromised information, such as credit card or government identification or home addresses and banking details.
1 in 4 people is likely to fall victim to a data breach. Have you ever been exposed? Find out now with Bitdefender’s Digital Identity Protection.