Recently, hundreds of millions of Quebec-owned data were exposed near the Quebec Housing Administrative Tribunal.
According to one computer expert, who is also a co-founder gives an annual event that brings together computer programmers, his data contains enough information to allow hackers to initiate a phishing campaign or to be able to extort money from his people.
This article will also interest you: Mobile tracing: the Quebec government reassures the security of the application on reliability
"A tenant who is challenging a rent increase with the Quebec Administrative Housing Tribunal is not the only one who can view his file on the organization's website. In fact, anyone armed with an Excel spreadsheet and a little patience can retrieve from the court site thousands of files of current and past tenants, left without any protection. explains Alain McKenna.
"A person who is a little unintent can do a lot of damage with what is found on this site," notes Patrick Mathieu, a computer expert and the other co-founder of Hackfest. "If you want to go after someone, what you find here is a lot more important than any Facebook account breach. he adds.
Indeed, it may be that with this data in circulation it would be possible to build a whole database. This is that can be easily marketable on the Darkweb. "You can build a whole database from that data. A hacker could then resell them on the specialized sites of the dark web. Explains Steve Waterhouse, a Canadian computer security specialist who is also a former computer security officer at the Department of Defence.
"It's appalling that the government is neglecting simple data security issues by failing to protect these documents. They contain confidential information from tenants and people who can easily become victims of phishing or identity theft. ».
"When the tenant and the landlord have a dispute, they ask the Administrative Housing Tribunal — the former Quebec Housing Authority — to decide for them. The court then builds a file with the names, postal addresses and e-mail of the parties involved. The file may contain several other personal documents, notices of hearing and minutes of these hearings. The complainant receives a six-digit number that he can then use to find his digitized file on the court website. A search using this number returns a summary of the court's actions, and ends with a PDF document to download. Simply repeatedly enter the web address leading to this document, altering the file number, to retrieve PDF files related to other files. In front of Le Devoir, a source was able, using a simple script programmed in an Excel binder, to locate in less than two minutes more than a thousand of these PDF files that are not protected by any security measures. explains Patrick Mathieu.
A folder rich enough to initiate a computer attack campaign. The possibilities under these conditions are plural. Indeed, one can consider here companion of identity theft of the court, with the aim of extracting money in exchange for the study of a file for example.
For a hacker, this data represents a lot of value. The ability to collect them in large numbers makes it much more interesting for them. And the fact that they come from a public administration source makes them even more reliable.
"You can build a whole database from that data. A hacker could then resell them on the specialized sites of the dark web. As this is verified information, they would go looking for a very good price … Waterhouse says.
Yet on the other hand, we learn from all the housing courts in Quebec that we had no choice but to make their computer data public. Indeed, according to some provisions of the law, all the information and personal information that may have been collected in the course of a judicial function are public natures and the files must also be accessible to all "as is the case in the courts of the judicial order such as the Court of Quebec", the court recalled.
It should also be noted that extensive searches of other people's personal information through documents and court are prohibited. "This is certainly an important issue in a context where the government is in the midst of a digital shift," says Pierre Trudel, professor of cyberspace law. "It is easier to commit an illegal act. There is probably a precaution that the court — or the government — could take to prevent that. he adds.
Now access an unlimited number of passwords: