Toronto, Ontario — July 5, 2019 — On Tuesday morning, the Boyd Group announced it had been the victim of a ransomware attack. Although the auto repair investment fund has not uncovered any evidence that customer or employee information has been compromised, security experts are continuing to investigate the extent of the damage.
While work uncovering the extent of the damage may be relegated to the Boyd Group’s cybersecurity department, the incident has caused ripples of concern across Canada’s automotive sector. As the importance of computerization in vehicles increases, several Collision Repair readers have voiced concerns that the collision community is largely naive to the risks posed to auto repairers by cybercriminals.
To clarify these risks, Collision Repair recently spoke with Justin Bull, a Toronto-based cybersecurity expert came to national prominence in 2013 when he alerted the Canadian Revenue Agency that their private information was vulnerable to a relatively simple-to-perform hack known as Heartbleed. He now serves as a senior cybersecurity manager with Weathsimple in Toronto.
CR: What is ransomware?
JB: Ransomware is software designed to hold you at ransom. It can threaten to shut down your ability to do business unless money is paid.
The thing is, there is no guarantee that the threat will go away if the ransom is paid. Even if it is, there is nothing to stop criminals who choose to sell the data to organized crimes who can use these identities for their own illicit purposes.
The challenge is that, at this point, there’s no way to know if criminals have already started extracting your customer’s data. If they have, they can turn around and use this for identity fraud.
Almost all of ransomware attacks now try to take advantage of network propagation. If a single computer gets hit in your office, it will jump to other computers in the office as well. If you’re connected to an affected network, criminals may have access to your data too.
CR: How can an organization limit the risks of ransomware or other cyber attacks?
JB: There is no silver bullet to protect an organization against cyber crimes. The most important thing to do is to maintain good ‘computer hygiene’ habits–just as you would at home. Don’t download unknown email attachments or follow strange links. Some companies invest in sending staff to courses to reiterate the basics of safe computer use.
It is also important to avoid putting off those software update notices. It is easy to put them off, but updates are the only way for Apple and Microsoft to protect against new threats–and cybercriminals are always trying new approaches.
CR: Are there any risks data theft roles that are specific to the automotive sector? Is the idea of a terrorist attack made via a hacked vehicle possible, or just science fiction?
JB: As cars became more computerized, there wasn’t too much thought put into the idea of cybersecurity. Why? Because when cars are manufactured, autonomous features are created first, security last. Those risks weren’t really considered until relatively recently.
The direct hacking of automobiles is a bursting field of research and a very serious field of research. We’re finding situations where people can kill the steering wheel or remote control the brakes–which could cause an accident or death.
