Aurora Cannabis (ACB.TO)(ACB) said it’s consulting with security experts and authorities as a hacker solicits online bids for data allegedly belonging to the Canadian pot company. The data appears to include copies of passports, driver’s licences, credit card information and other business documents.
A Jan. 7 post on an online marketplace for hacked databases advertises “All Data From Aurora Cannabis” for sale, and offers 11 sample images as “proof of concept.” Among the images is a passport that appears to belong to Darryl Vleeming, Aurora’s chief information officer, and an Alberta driver’s licence appearing to belong to Amy Lamoureux, a supply chain manager at the company.
Edmonton-based Aurora said it suffered a “cybersecurity incident” on Christmas Day. The company said at the time that no patient data was compromised, and that Aurora’s network of operations was unaffected. Aurora sells medical cannabis directly to nearly 100,000 Canadian patients. The company has approximately 1,800 employees, spanning operations in Canada and Europe.
On Monday, spokesperson Michelle Lefler declined to answer questions from Yahoo Finance Canada about what data had been breached, or if the company had been contacted by parties claiming to be in possession of its data.
“On Dec. 25, 2020 Aurora was subject to a cybersecurity incident. The company immediately took steps to mitigate the incident, is actively consulting with security experts and cooperating with authorities. Aurora’s patient systems were not compromised, and the company’s network of operations is unaffected,” she wrote in an emailed statement. “Our priority is to ensure our business remains operational and able to service our patients and customers.”
The post allegedly listing the online sale, which was first flagged by an information security blog, does not list a specific price for the trove of information. However, the website Bleeping Computer, claims the hacker behind the attack has an asking price of one Bitcoin (BTC-CAD). The volatile cryptocurrency was worth $41,812.43 per Canadian dollar at 1:23 p.m. ET on Monday.
In an interview with Bleeping Computer, the hacker reportedly claimed to have 50GB of stolen data, and claimed to still have access to Aurora’s network.
Marijuana Business Daily reported on Jan. 4 that victims of the Christmas Day data breach span an unknown number of current and former Aurora employees. The cannabis industry news source said an email sent to Aurora employees by the company cites a “cybersecurity incident during which unauthorized parties accessed data in (Microsoft cloud software) SharePoint and OneDrive.”
The Office of the Information and Privacy Commissioner of Alberta confirmed on Monday that Aurora has reported the incident, as is required under the province’s Personal Information Protection Act.
The Office of the Privacy Commissioner of Canada said it was notified of the breach on Dec. 31.
“We have been communicating with the organization to gather more information, and determine our next steps,” senior communications advisor Vito Pilieci wrote in an email.
Aurora is not the first Canadian cannabis producer to be targeted by hackers. Last November, Quebec-based Neptune Wellness Solutions (NEPT.TO) disclosed it spent nearly $2 million due to a “cybersecurity incident” that occurred in July. The cost included “an amount paid to the threat actor in exchange for destruction of the data,” as well as legal and investigative fees, and other costs.
According to IBM’s “Cost of Data Breach Report 2020,” the average cost of data breaches in Canada has climbed 6.7 per cent since 2019, hitting $6.35 million last year.
Jeff Lagerquist is a senior reporter at Yahoo Finance Canada. Follow him on Twitter @jefflagerquist.