It appears that SIRVA BGRS Worldwide has been the victim of a major data breach, resulting from a ransom attack. That data has now been published on the Internet.
This first came to light in an internal message from the Government of Canada, now shared with The Mover, saying that it had become aware of an incident on 29 September. The message said that BGRS had confirmed that unauthorised access was obtained to Government of Canada (GC) personnel information. This was also the subject of an article published on 20 October, by CBC News, written by Murray Brewster, its senior reporter, defence and security.
On 24 October FIDI issued a news flash advising members that SIRVA/BGRS may have been the victim of a potentially major data breach. It said that should this information be confirmed, a large amount of sensitive personal and business data could have been made public, possibly affecting FIDI Affiliates who operate directly with, or on behalf of SIRVA/BGRS. On 25 October IAM issued a similar warning saying that it is trying to contact the company to determine the extent of the data breach and whether it impacts their other service sectors.
But the situation has now moved on. The editor of The Mover has seen the now published files on the hacker’s website. They contain a vast amount of information, including copies of passports and live credit card details. It also appears that the data extends far beyond the Government of Canada. The Mover has also seen the chat between SIRVA and the hacker, LockBit, where LockBit was demanding a ransom of $15m to not publish the files.
Presumably the ransom was not paid which is why the files have been released. LockBit claims there to be 1.5TB of documents and full CRM backups. The Mover has not seen the CRM files. It also appears that, as yet, SIRVA has not informed its partners of the breach, provided any information as to its extent, or offered any advice as to what to do next. The Mover has e-mailed SIRVA asking for comment but, at the time of writing, none has been received.
No doubt further information will emerge over time. However, meanwhile, this is a very cheap lesson to all companies that handle and hold data on behalf of clients. Data security is a serious business. It has been the topic of many articles in this publication and others. Maybe this incident will serve to focus attention on a topic that, if you get it wrong, can be disastrous.
The Mover will provide further information if and when SIRVA replies.