Since April, DataBreaches.net has been reporting on the hack of a small Canadian gold-mining firm, Detour Gold. As noted in April, hackers who call themselves Angels_of_Truth claim to have hacked Detour Gold in revenge for Canada’s economic sanctions on Russia. Their statements have been written in both English and Russian.
Following the first paste and dump, the hackers contacted DataBreaches.net in May, and again this past week, to point this site to additional data dumps that indicate that the hackers had (and appear to still have) access to Detour Gold’s system.
Consistent with this site’s policy of not directly linking to data dumps that include personal information, DataBreaches.net did not publish the urls for the data dumps and pastes. That information has begun to circulate anyway, however, which means that Detour Gold employees are now at even greater risk of identity theft and the company’s corporate information and accounts are more widely available to those who might misuse the information. As but one example, one of the files the hackers sent to this site included all credit card details on a corporate credit card used by the firm’s CEO. The authorization form included images of the front and back of the credit card, his signature, and a photocopy of his driver’s license with his date of birth and all other details. The credit card number is not an expired number unless Detour Gold has since cancelled it.
Lee J. of CyberWarNews.info has analyzed the 18 GB dump of Detour Gold corporate and employee information and has uploaded his analysis here.
Note the wealth of employee information, most of which was not encrypted. Lee reports that information was available on a total of 1,312 on-site and off-site employees, with credentials sorted into folders with insurance, health and driver’s license details. Of these 1,312 employees, 1,161 were current employees, 127 were terminated employees, 70 were individuals who had been offered employment but had not accepted the offer, and 22 were on pending position offers. Information on the employees includes:
- Background checks
- Declaration of criminal record documents
- Criminal information centre documents
- Social Insurance numbers, Health card Numbers, Driver’s License Numbers, Full names,
- Dates of birth, signatures, emails, phones, home addresses, background history from
- Very detailed resumes, banking information and related payroll information.
- Employment conditions, offers, terms and information such as salaries and duties.
- Interview notes, this includes full copies of the application
- Reference check forms used as a checklist of what to ask and the answers given.
- Fitness to work assessments
- Students’ details from “summer employment offers” which include full names, dates of birth, home addresses, study information as well as above already mentioned information
There were 1,049 unique Social Insurance Numbers for the entire data dump.
In other words, more than enough information to accomplish identity theft.
In addition to the risk of identity theft, detailed documents concerning the termination of employment reveal transgressions by named employees that they might not wish to see in the public domain.
And of course, this is all apart from the company’s proprietary information that has also now been dumped for the public.
When asked about the lack of encryption, Lee informed DataBreaches.net:
My analysis found that at least 98% of the material was unencrypted.
Some payroll information is protected, but I suspect that it would be
relatively easy to crack the protection.
Detour Gold has stored a lot of clear text credentials in very obvious
files, which makes it very understandable how a breach of this
magnitude has happened.
But who are the Angels_Of_Truth? Are they really Russian hackers? It’s hard to believe that Russian hackers would target such a small firm instead of a government agency or larger corporation if they want to make a political point. Attempts to reach the hackers using an email address that had worked in the past failed to reach them yesterday. Hopefully, if they see this post, they will get in touch with this site.