Technology & Science

Andrew Agencies knew about cyberattack for 2 months before public disclosure

An insurance and financial brokerage that fell victim to a ransomware attack has acknowledged for the first time it was aware of the incident for two months before publicly disclosing what happened.

Manitoba-based insurance and financial brokerage denies hacker group's claims; says personal data is safe

Andrew Agencies said in a news release Thursday that it 'became aware of a targeted attack on the company’s IT infrastructure' on Oct. 21. (PabloLagarto/Shutterstock)

An insurance and financial brokerage that fell victim to a ransomware attack has acknowledged for the first time it was aware of the incident for two months before publicly disclosing what happened.

But Andrew Agencies, which has 18 branches across the Prairies, on Thursday rejected some of the hackers' claims and said it found "no evidence" that customer or employee information had been accessed.

In a news release dated Dec. 19, the company said it "became aware of a targeted attack on the company's IT infrastructure" on Oct. 21.

Maze, the cybercriminal group that took responsibility for the breach, had said that was the date it locked down Andrew Agencies' computers. The hackers made the claim on their public website this week.

Ransomware attacks generally involve taking control of an individual or organization's data and demanding ransom to release it.

It was only after CBC News reported on the incident on Wednesday that the Virden, Man.-based company posted an online statement acknowledging the attack.

Andrew Agencies' Virden, Man., location is seen in this Aug. 2018 image. (Google Maps)

"Immediately after learning of the incident, we engaged third-party privacy and cybersecurity experts to assist with the investigation and response," Andrew Agencies said in the public notice.

"Our immediate priority was to ensure the integrity and security of our network, to restore access to encrypted files, and to launch a comprehensive investigation."

Even this week, the company attempted to keep the episode quiet. Its executive vice-president and general counsel, Dave Schioler, asked CBC News in an email on Monday to "consider refraining from publishing any information regarding this incident until we have had a chance to complete our investigation and properly assess the gravity and extent of it."

Maze claimed to have stolen 1.5 gigabytes of data from Andrew Agencies, but the company said in its Thursday statement "our investigation has concluded that this is false."

"We have no evidence that would suggest any personal information was impacted," the message read.

Maze posted on its website earlier in the week a text file containing a list of dozens of first and last names. It's unclear who the names belonged to, or whether the list was meant to identify Andrew Agencies' customers or staff.

Andrew Agencies has 17 branches across Manitoba and Saskatchewan and one location in Airdrie, Alta. (CBC)

The cybercriminal group has been known to exaggerate claims before.

The existence of Maze's website was first reported by ransomware experts this week. On Friday afternoon, the site appeared to be unavailable.

The group had demanded a $1.1 million ransom from Andrew Agencies, according to a report on the cybersecurity news site BleepingComputer.

The site said it had been in touch with Maze, which claimed to have stolen data "about insurance customers." The group did not respond to earlier messages from CBC News.

Andrew Agencies said the hackers had in fact only accessed "high-level technical information related to our computer system." Maze had posted 245 IP addresses which it claimed were associated with the machines it had locked.

Andrew Agencies also previously said it did not pay a ransom.

The company said Thursday "the incident had minimal impact on business continuity" and that the company had "prioritized" communicating with customers directly.

It also said it was working to strengthen its IT infrastructure.

About the Author

Thomas Daigle

Senior Technology Reporter

While in CBC's London, U.K. bureau, Thomas reported on everything from the Royal Family and European politics to terrorism. He filed stories from Quebec for several years and reported for Radio-Canada in his native New Brunswick. Thomas is now based in Toronto and focuses on technology-related news. He can be reached by email at thomas.daigle@cbc.ca.