SLGA business partners should have figured out on their own that their data may have been stolen: minister
CBC
The minister responsible for the Saskatchewan Liquor and Gaming Authority (SLGA) says the Crown corporation didn't directly notify its business partners that their data may have been stolen in a hack because those companies should have figured it out on their own.
According to a Dec 28 news release, SLGA's computer systems were the target of a "cyber security incident" on Christmas Day. It said that at that time, "SLGA does not have any evidence that the security of any customer, employee or other personal data has been misused." The organization repeated that line in communications with business partners.
Three weeks after the hack, the organization alerted employees that their data may have been stolen and offered them credit monitoring services.
At that time, it gave no such notification to SLGA's suppliers, vendors or licensees.
Minister Jim Reiter said the public notification about the hack should have been sufficient for those businesses to know they may have been affected.
"I think it would be good business practices at all times to keep an eye on what's going on. I would be surprised if anyone in the liquor industry in Saskatchewan, with all the information that went out, wouldn't have been aware that there was a hack at SLGA," said Reiter on Monday.
On Monday, CBC reported that the SLGA hackers had provided CBC with a package of what appeared to be internal SLGA documents. The hackers said this was a small sample of what they took.
Included in the package were a small number of credit card authorization forms for SLGA suppliers, which included their credit card numbers, expiry dates and security codes.
Suppliers contacted by CBC said they were shocked to learn that some of their confidential data had been taken in the hack. They said SLGA didn't notify them.
However, SLGA has pointed out that in recent days, it has indirectly notified at least some of its business partners on its website.
Three months after the hack, on March 22, SLGA posted a public notice on its website, warning gaming registrants and liquor and cannabis permit applicants that some of their personal confidential data may have been breached. SLGA warned that some health, financial, criminal and personal information may have fallen into the wrong hands.
In an email, SLGA told CBC it is required by law to notify people whose data may have been unlawfully accessed and may be misused. The organization said rather than notify the potential victims directly, it decided to use the "indirect notification" approach, posting an update on its website.
SLGA says in a written statement on it's website that Saskatchewan's privacy commissioner has given the thumbs up to this indirect approach in cases "where the privacy breach is potentially very large or you may not be able to identify the affected individuals."
The privacy commissioner told CBC his office is investigating the matter and will release the results of that investigation publicly.