Nearly a year after being the victim of a computer hack, the UniMarketing firm revealed on Monday the total toll of the incident: 46 organizations and approximately 295,000 people were affected.
The firm said it detected a security breach affecting its computer systems on August 8, 2023. “Thanks to the assistance of independent cybersecurity experts and an IT service provider, we were able to quickly bring the situation under control,” it explained in a press release. The firm quickly contacted the Sûreté du Québec, said Steve Lévesque, UniMarketing’s vice-president of operations.
“However, we were informed on December 22, 2023 that files may have been compromised, but [nous n’y avions pas accès]. When they were able to be recovered, we undertook a thorough review of the affected files, the first phase of which was completed in April 2024. It was determined that personal information was contained in some of the affected files,” UniMarketing said.
Through telephone solicitation activities, the firm held personal information of clients, graduates, donors, subscribers and users of the 46 affected organizations. These include private companies, non-profit organizations and educational and health institutions.
The Integrated Health and Social Services Centre of Montérégie-Centre is one of them. “The people potentially affected are users who received care or services at the Charles-Le Moyne Hospital between January 2021 and May 2023 and who were asked to make a donation to the Charles-LeMoyne Hospital Foundation,” the establishment explained in a press release issued Monday.
The duty is also one of the affected organizations, since UniMarketing is an external supplier with which the newspaper does business for its subscription campaigns by telephone solicitation. The data breach therefore affects subscribers who responded to telephone solicitation calls. Donors are not affected by this incident.
The newspaper was informed of the situation last Friday and immediately suspended its business relations with the firm in order to shed light on this event. In total, 2,472 subscribers to the Duty are affected by the leak of personal information. Their name, surname, contact details and credit card number ended up on the hidden web (dark web). UniMarketing confirmed to Duty that there were no other victims of this leak among the newspaper’s subscribers.
The newspaper will contact each of the people concerned individually this week and next. It recommends that these people contact their banking institution and change their credit card.
“We are troubled by this information leak and offer our sincere apologies to affected subscribers. The duty takes the protection of personal information seriously and demands the same from its suppliers. While knowing full well that no company is safe from a computer security intrusion these days, we will take steps to enhance our internal controls and our vigilance,” said the director of DutyBrian Myles.
Monitoring service offered for affected subscribers
UniMarketing has confirmed to Duty that it would offer credit monitoring, fraud counseling and identity theft restoration services to newspaper subscribers affected by the incident. They will have access to them for a period of two years.
In its press release addressed to all 46 organisations affected by the hack, the firm stated that it had had no indication, for the moment, that “fraud or identity theft had been committed following this event”.
However, she encouraged those affected by the data leak to be vigilant about suspicious emails or phone calls. “Any suspicious activity should be promptly reported to the relevant authorities,” she said.
Since the incident last August, the company claims to have resumed its activities on new computer servers “entirely independent” of those affected by the hack.