As part of its work looking into issues around the federal government’s ArriveCAN app, the House of Commons Standing Committee on Public Accounts (PACP) recently heard from Aurora Cannabis Chief Information Officer Darryl Vleeming.
Vleeming spoke with the committee in his current role as vice president and chief information officer at Canada Border Services Agencies (CBSA).
The committee questioned Vleeming on the issue of GC Strategies, a company which received millions of dollars from the federal government to develop the mobile app provided by the Canada Border Services Agency in 2020, while Vleeming was still with Aurora.
Vleeming was speaking to the committee along with Jonathan Moor, vice-president, comptrollership branch of the CBSA, and from the Office of the Auditor General: Andrew Hayes, deputy auditor general; Sami Hannoush, principal; and Lucie Després, director.
During questioning, Bloc Québécois MP Nathalie Sinclair-Desgagné questioned Vleeming about a hack that occurred when he was chief information officer at Aurora Cannabis on Christmas in 2020.
In that breach of security, hackers stole all of Aurora’s computer data, noted Sinclair-Desgagné, including copies of driver’s licences “and other highly confidential documents.”
When the hackers tried to sell that data in an online marketplace, she noted, they used a copy of Vleeming’s passport as evidence that their claims were real.
Vleeming confirmed the hackers had indeed shared his passport but said Aurora’s security system had limited them to accessing only “a very small amount of data.”
“The data breach actually got a very small amount of data from Aurora, and we were subjected to blackmail,” Vleeming told the committee. “Basically, they tried to force us to pay to not release it, but the amount of information they stole was extremely limited, so we made a decision as an organization not to pay.”
Sinclair-Desgagné questioned whether this showed a lapse in his duties as chief information officer at the time, but Vleeming says such hacks are “never ideal” but common.
“You’re never as prepared as you could be, but the reality is that cyber-attacks continue to increase worldwide,” he said as part of his final comments on the matter. “You just have to google the number of companies that get hacked on a daily basis. It is expected. What you have to do is limit the damage, and in this case the damage was extremely minimal.”
The hackers that stole data from Aurora Cannabis posted 11 sample images on January 7, 2021, as “proof of concept.” In addition to Vleeming’s passport, it appeared to include an Alberta driver’s licence belonging to Amy Lamoureux, a supply chain manager at the company.
Aurora maintains that no patient data from its medical cannabis program had been compromised.