MONTREAL -- Quebec’s justice department got an unplanned test of its cybersecurity this month, not just because it was hacked, but because of who got hacked.
In mid-August, some of the department’s employee email accounts were hijacked to send malicious emails to citizens.
One of those citizens just happened to be a cybersecurity expert. She was in a position not only to alert the department to what was happening, but to evaluate their response—and she says it was “pretty egregious” in how lacking it was.
Yuan Stevens works with a Ryerson University lab and at an independent think tank on cybersecurity issues, among other projects. Separately, she also became a commissioner of oaths earlier this year—someone appointed by the Justice Department who can certify certain documents.
Stevens emailed the department this summer to change her contact information. A few weeks later, she received what seemed to be two replies to that email.
They appeared to be from official email accounts, and were building on this previous correspondence, but in fact, the addresses were “spoofed,” she said. She quickly became wary after seeing the attachments, a PDF and a Word file.
“I quickly opened one of the Word files,” she said, and got a pop-up warning with a word she knew well—it said the document contained “macros.”
Macros are a type of program that “are often used by malicious hackers to deploy viruses or ransomware,” she said.
She sent an email to the department alerting them.
“Your emails or your database have been hacked and I got this phishing email,” she wrote, explaining the details further, in an email shared with CTV.
“Can you tell me how you’re managing this situation when it comes to the confidentiality of my information? It’s shocking that you haven’t contacted me about this violation of my data.”
But when the department responded, it essentially blamed the problem on her.
“For security reasons, given that you’ve confirmed that you’ve had problems with phishing, we must do an authentification by phone [to change your contact info],” the email said, directing her to call customer service.
“I think it’s pretty egregious that Justice Québec is telling me that I simply experienced ‘phishing problems,’” Stevens told CTV.
“I would like for them to pre-emptively take responsibility for data breaches like this…and have notified me and the public rather than require me to notify them.”
The department confirmed to CTV that it was hacked on Aug. 11 and 12 and the attacker tried to take control of 14 employee emails.
"The ministry immediately took the necessary actions," it said, interrupting some IT services before restarting the system on Aug. 14.
“It is important to clarify that no [Justice] email address or Department of Justice system was used to send malicious emails,” it wrote, meaning that the hackers obtained enough information to know who to send the phishing emails to, but didn’t take full control of the accounts.
On Monday, the department posted another release warning people to be on guard. “The Quebec Ministry of Justice wishes to warn the population against fraudulent emails” that seemed to come from departmental emails, it wrote.
“The Department asks citizens who receive such an electronic message not to open any attachments, not to transmit any personal information and to delete the email.”
It also asked people to verify the sender’s email address independently. Call the sender if needed to verbally verify that they sent the email, and if you didn’t expect an attachment, don’t open it, they said.
Quebec's Ministry of Justice was also targeted last fall by a series of scam phone calls claiming to originate with the department.
The department didn’t address Stevens’ critique about its failure to proactively notify people who might have been targeted.
It did say that “a single citizen” got in touch about the suspicious emails—though it didn’t mention that this one citizen was a data security expert.