EXCLUSIVE: Russian hackers claim they still own Detour Gold, dump more data

Update and Correction: The hacker(s) is/are likely not Russian, but Canadian.


If you’ve been employed by Detour Gold at any time since 2007, your personal information may already have been acquired and dumped by Russian hackers – including your name, date of birth, salary information, employment details, and Social Insurance Number.  And if your employment history included any medical, disability, or disciplinary records, they may be exposed on the Internet now, too.

On April 21, and again on May 3, this site reported that  Detour Gold Corporation  (TSX: DGC) appeared to have been massively hacked with corporate and employee information dumped. In response to the hackers’ claims that they still had access to Detour Gold’s databases, Detour Gold’s IT Manager, Reza Alirezaei, had informed DataBreaches.net, “We are monitoring our network perimeters with the monitoring tools we have and we don’t see any suspecious activities.”

Perhaps they can see it now.

The hackers, who call themselves the Angels_Of_Truth, have dumped even more data. Inspection of what they sent DataBreaches.net indicates that the data dump includes employee information that was generated after the April 21st  date of their first dump – and includes files dated as recently as May 20, 2015, supporting their claim that they have had ongoing access to Detour Gold’s system.

The hackers write:

Detour Gold seems to remain oblivious to the fact their computer network and all the personal customer / employee data as well as sensitive corporate data has been compromised. The network remains up online and all the data still unencrypted and available for all to see.

We have taken over 100 Gigs of data from the Detour Gold computer network covering from 2007 – present day, yet again we have decided to leak more data, 18 Gigs of raw copies of some of the compromised documents are available via torrent download located here:

[url redacted by DataBreaches.net as per this site’s policy concerning claimed data dumps that include personal information]

the Angels_Of_Truth continue to maintain access to the Detour Gold network, even after we have already leaked data on two seperate occasions, this is our 3rd and largest data leak yet, with more to follow.

As long as economic sanctions persist on Russia so will cyber attacks on the Canadian economic sector. (we included some SIN numbers at the bottom of the paste)

So far, there doesn’t seem to be any impact on economic sanctions, but this appears to be one of the worst, if not the worst, hacks of a Canadian corporation.

According to the hackers, data available in the torrent includes:

  • employee/customer personal information, phone numbers, emails, mailing addresses
  • employee/customer termination reports
  • employee salary information bonus information and severance packages
  • employee/customer SINS, scans of driver licenses birth certificates health cards
  • contractors confidential deals
  • Donations, political party donations
  • credit card numbers, statements and transactions
  • medical records, drug tests etc
  • employee stock options
  • IT rapid7 vulnerability reports
  • legal documents
  • invoices of expenses
  • employee performance reviews
  • employee T4’s and other tax documents
    and much more

Inspection of what they submitted to DataBreaches.net appears to confirm their description. The Rapid7 audit report was generated April 26, 2015, and a copy of a political donation check reveals Detour Gold’s bank routing number and account number. A paste describing the data dump contains 37 Social Insurance Numbers of employees/customers.

None of the data are encrypted.

As noted above, Detour Gold stated on May 3 that they did not see any evidence the hackers still had access, but yesterday’s data dump includes more recent material such as the following employee termination letter, which is being redacted by DataBreaches.net to delete the employee’s details:

Registered and Electronic Mail

May 20, 2015
Confidential

[First Name and Last Name Redacted] [Postal Address Redacted] Thunder Bay, ON
P7C 5Z2
[redacted]@hotmail.com

Dear [Redacted]:

This letter serves to confirm your discussion with Larry Lazeski – Mine Operations Superintendent on May 20, 2015, advising you that your employment with Detour Gold is terminated effective immediately.

In this regard, we are providing the following arrangement:

[…]

[Redacted], we wish you well in your future endeavours.

Sincerely,

Craig Rintoul
Open Pit Manager

A letter to the same employee dated May 19, 2015 from Rintoul began:

Dear [redacted]

We attempted to contact you multiple times on May 15, 16, 17, 18 and 19 to discuss your employment status, however unfortunately we were unable to reach you. This letter will confirm our decision to terminate your employment effective May 19, 2015. The decision to do so comes after a thorough consideration of your employment history and recent serious safety incident.

In this regard, we are providing the following arrangement:

Detour Gold had notified the Privacy Commissioner of Canada and affected employees after the earlier reports. They had also involved the Canadian Incident Response Center, and were reportedly working with several security advisors to resolve the issue.

DataBreaches.net emailed Detour Gold yesterday to ask for a statement about the latest data dump and what appears to be ongoing access to their network. They were not aware of the paste or the data dump until this site notified them, and said they would have Human Resources confirm or deny the authenticity of the employee termination letter.

As of the time of this publication, they reneged on their statement that they would confirm or deny the authenticity of the exposed termination letter and sent only the following statement: “We are reviewing the matter and taking appropriate actions.”

DataBreaches.net has reached out to the employee whose termination letter was exposed to ask for his reaction and will update this post as more information becomes available, but it seems clear Detour Gold has an ongoing and very serious problem.

About the author: Dissent