Hacked Aurora Cannabis data for sale after Christmas Day attack

In This Article:

Aurora Cannabis said it suffered a "cybersecurity incident" on Christmas Day. (GETTY)
Aurora Cannabis said it suffered a "cybersecurity incident" on Christmas Day. (GETTY)

Aurora Cannabis (ACB.TO)(ACB) said it’s consulting with security experts and authorities as a hacker solicits online bids for data allegedly belonging to the Canadian pot company. The data appears to include copies of passports, driver’s licences, credit card information and other business documents.

A Jan. 7 post on an online marketplace for hacked databases advertises “All Data From Aurora Cannabis” for sale, and offers 11 sample images as “proof of concept.” Among the images is a passport that appears to belong to Darryl Vleeming, Aurora’s chief information officer, and an Alberta driver’s licence appearing to belong to Amy Lamoureux, a supply chain manager at the company.

Edmonton-based Aurora said it suffered a “cybersecurity incident” on Christmas Day. The company said at the time that no patient data was compromised, and that Aurora’s network of operations was unaffected. Aurora sells medical cannabis directly to nearly 100,000 Canadian patients. The company has approximately 1,800 employees, spanning operations in Canada and Europe.

On Monday, spokesperson Michelle Lefler declined to answer questions from Yahoo Finance Canada about what data had been breached, or if the company had been contacted by parties claiming to be in possession of its data.

“On Dec. 25, 2020 Aurora was subject to a cybersecurity incident. The company immediately took steps to mitigate the incident, is actively consulting with security experts and cooperating with authorities. Aurora’s patient systems were not compromised, and the company’s network of operations is unaffected,” she wrote in an emailed statement. “Our priority is to ensure our business remains operational and able to service our patients and customers.”

The post allegedly listing the online sale, which was first flagged by an information security blog, does not list a specific price for the trove of information. However, the website Bleeping Computer, claims the hacker behind the attack has an asking price of one Bitcoin (BTC-CAD). The volatile cryptocurrency was worth $41,812.43 per Canadian dollar at 1:23 p.m. ET on Monday.

In an interview with Bleeping Computer, the hacker reportedly claimed to have 50GB of stolen data, and claimed to still have access to Aurora’s network.

Marijuana Business Daily reported on Jan. 4 that victims of the Christmas Day data breach span an unknown number of current and former Aurora employees. The cannabis industry news source said an email sent to Aurora employees by the company cites a “cybersecurity incident during which unauthorized parties accessed data in (Microsoft cloud software) SharePoint and OneDrive.”