Sensitive data such as social insurance numbers and financial information belonging to people associated with Vancouver Film School could be leaked just ahead of Christmas unless a ransom is paid, according to cybercriminals threatening the post-secondary institution.
A ransomware operation known as Play claims to have scraped 710 gigabytes of data from VFS as part of a Nov. 28 cyberattack.
Play says it’s ready to publish everything from passports to "forms with full info" on Dec. 18.
“There is absolutely nothing at all unusual about this. The educational sector has been heavily targeted by ransomware since 2019,” said Brett Callow, a threat analyst with cybersecurity firm Emsisoft Ltd.
He provided BIV with details of the threats pulled from Play’s website on the dark web.
“These groups have had access to their targets’ networks for some time. They will likely know what the financials look like, they will know what level of cyber insurance coverage the organization has,” Callow said.
“They will know whether that particular policy covers ransom demands and so they are often able to make personalized, custom demands. It's not a standard amount at all. It's usually based on the organization's ability to pay.”
But he emphasized that Play’s threats aren’t necessarily accurate.
“It can take weeks for [organizations] to work out if data was taken,” Callow said. “The gangs sometimes try to use that period of uncertainty to their advantage by claiming to have obtained more data than they actually did or more sensitive data than they actually did.”
VFS confirmed it’s aware of the threats Play posted on its website.
“VFS will continue to monitor this activity as part of its response to this incident,” Evan Biswanger, the school’s head of marketing, said in an email.
“We are reviewing this information to identify individuals whose information may be involved. We will be reaching out to those individuals as needed with additional information.”
BIV earlier reported some VFS classes were cancelled following the cyberattack and those arriving at various campuses found all computers had been shut down. Staff and students were also being urged not to connect their own personal devices to the VFS network.
VFS offers courses to about 1,000 students across eight campuses.
“Our focus has remained on securely maintaining the VFS learning experience for all our students. VFS has provided updates about this incident and continued to run many of its programs during the disruption caused by the incident,” Biswanger said.
“We have now restored many of our key systems and operations.”
Callow said organizations facing cyberattacks like VFS’s will often consult with their legal, cybersecurity and communications teams to determine a course of action before deciding whether or not to pay a ransom.
“My personal feeling in these cases is that it makes absolutely no sense at all for organizations to pay,” he said.
“It doesn't ensure that the criminals will delete the stolen data. There's no way of knowing that they do. It doesn't mean that organizations will avoid a class action or even lessen the chance of class action against them.”