Ten days after it learned it was targeted by a ransomware attack, the College of Nurses of Ontario (CNO) is still trying to figure out if the personal information of its 300 employees and 195,500 members has been compromised, officials tell CBC News.

“We are aware of a claim on the dark web regarding data theft from CNO,” the nursing regulatory body told CBC News in a statement.

“While we are not able to confirm at this time, through a comprehensive forensic investigation, CNO is seeking to determine whether personal information was compromised as result of the incident that may require notification to individuals. Although CNO was affected by ransomware, the organization is implementing a range of approaches to resume operations safely and securely, including restoring from backups.”

Hackers have posted some of the information they claim to have obtained online, including folders marked “Human Resources” and “Human Rights Matters.” Among the information posted are photos of small claims and Superior Court settlements, which include the full names, addresses and phone numbers of people.

The post on the dark web also includes a countdown clock, which as of Sept. 17 gave the CNO 12 days to meet the hackers’ demands. CNO has not responded to questions about what those demands are or whether they have been or will be met.

Ransomware attacks involve malicious software used to cripple a target’s computer system to solicit a cash payment. Organizations are forced to pay large sums of money or risk sensitive information being released.

“There is currently no evidence that any employee’s personal information was affected as a result of this incident. As an interim measure and as a precaution, CNO is offering current employees a free subscription to a credit monitoring and identity-theft protection service,” the college said in a statement.

The college employs 300 people and regulates almost 200,000 nurses who are required to register to work in the province.

‘Shameful’ lack of transparency

The three groups that represent Ontario’s nurses — CUPE, the Ontario Nurses Association and the Registered Nurses Association of Ontario —  expressed dismay about the college’s handling of the data hack, because they and their members weren’t told about the possible information breach until contacted by CBC News, more than a week after the original hack.  

“It’s unforgivable to wait to let people know. I think that’s shameful,” said Michael Hurley, the regional vice-president for CUPE, which represents registered practical nurses in Ontario and said some of his members have restraining orders against their partners because of past violence, and need to know if their personal information has gotten out.

A threat analyst for a cybersecurity firm told CBC News there’s no reason for an organization to not tell people about a security breach.  “Organizations should notify individuals whose data may have been compromised as soon as they possibly can. At least those individuals can then be on the lookout for suspicious account activity and so on,” said Brett Callow, of cybersecurity firm Emsisoft.

The nurses unions say they’ll tell their members themselves about the breach.  The college says its “in the process of providing information” to members.  “CNO collects a range of general contact and profile information in the course of our business as the governing body for nurses in Ontario,” the college said in a statement.

“Payments to CNO by members are processed securely through a third-party vendor. As such, CNO has not identified a risk to members of financial, credit or identity fraud associated with that type of information. We thank our employees, members and applicants for their patience, and regret any inconvenience the incident may have caused.”