November 1, 2022
Re: Saskatchewan Liquor and Gaming Authority (“SLGA”) Cyber Security Incident
The following is a summary of information regarding the cyber security incident in December 2021 and specific actions SLGA has taken in response.
Update on cyber incident
As publicly reported on December 28, 2021, SLGA was the victim of a cyber security incident. Upon learning of the incident, SLGA took immediate steps to secure its systems and mitigate the impact to data and operations. SLGA engaged cyber security experts and has consulted the Saskatchewan Information and Privacy Commissioner’s Office regarding direct and indirect notifications to SLGA employees and clients regarding access to personal information. SLGA is also fully cooperating with the RCMP in respect to this incident.
What information was involved?
In accordance with The Alcohol and Gaming Regulation Act, 1997 and The Freedom of Information and Protection of Privacy Act, SLGA collects personal information as part of its liquor, gaming and cannabis regulation activities. The types of personal information collected include but are not limited to names, contact information, criminal histories, and financial information (depending on the type of licence). Based on the results of our investigation to date, SLGA believes that some of the personal information associated with regulated activities was affected. Unauthorized access to or misuse of these types of personal information can lead to financial harm, identity theft or personal embarrassment.
To mitigate risk, SLGA arranged for two years of credit monitoring services for affected individuals through TransUnion, one of Canada’s leading consumer reporting agencies. Individuals had until October 31, 2022 to sign up for this service.
What can you do?
You may wish to contact your financial institution to set up alerts on your personal account to inform you of irregular activities. Often, these alerts can be set up by logging in to your online banking; however, you may wish to contact your financial institution directly. It may also be a good idea to change passwords on some of your accounts. Passwords should be unique to each account and contain a mix of capital and lower-case letters, numbers and symbols.
Can I make a report to the Privacy Commissioner?
SLGA has been in ongoing contact with the Privacy Commissioner’s office since the end of December. You have the right to make a complaint to the Privacy Commissioner at:
Saskatchewan Information and Privacy Commissioner
503 – 1801 Hamilton Street Telephone: 306-787-8350
Regina SK S4P 4B4 Toll Free Telephone (within Saskatchewan): 1-877-748-2298
What is SLGA doing to keep my information safe?
Enhanced IT Security Measures
As publicly reported on December 28, 2021, SLGA took immediate steps upon learning of the cyber security incident to secure its systems and mitigate the impact to data and operations.
SLGA has retained independent cyber security experts to assist SLGA in dealing with the matter in accordance with industry best practices. The cyber security experts have been reviewing SLGA’s systems over the past number of months. SLGA is implementing recommendations and continues to review and update its cyber security systems and policies going forward. Many of the recommendations from the cyber security experts have been implemented at this point.
Document Management Review
SLGA has also retained third party experts regarding document management and retention policies and procedures. SLGA’s policies relating to the collection, use, disclosure and safeguarding of personal information must be both robust and adhered to. SLGA’s policies and practices will be reviewed against industry best practices and the legislative requirements set out in The Freedom of Information and Protection of Privacy Act and recommendations implemented as soon as possible.
Increased frequency of cyber incidents due to cyber criminals is becoming the norm in our society. This does not mean they are acceptable. Both the cyber security audit and the document management review are intended to help mitigate against future risks to information under SLGA’s control.