RCMP say it doesn’t know the full extent of cyber breaches allegedly caused by John Paul Revesz’ “Orcus” malware, but charges they laid against the Toronto computer programmer and former TD Bank IT systems administrator highlight myriad vulnerabilities of our online data and privacy.
Last Friday, Revesz was charged with a hybrid offence under Section 342.1 of the Criminal Code “for unauthorized use of a computer”.
The charge is related to purported malware Revesz allegedly sold on the web that gave clients the ability to take control of a remote computer for which he allegedly provided online tutorials on how to use it.
“The exact impact that the tool had on the internet and related corporations is unknown at the moment,” said RCMP in an email to The Post Millennial, but police could not say if other charges were forthcoming.
Other cases involving section 342.1 indicate its broad application. Most recently, it formed part of espionage charges against RCMP analyst Cameron Ortis, it’s been used to prosecute people who use computers or mobile devices to lure children, as well as election tampering charges involving computer-generated robocalls.
“We are only aware of the offences for which he was investigated by the Cybercrime Investigative Team,” said the RCMP.
RCMP National cybercrime division’s announcement of their case against Revesz came a week after the Office of the Privacy Commissioner of Canada released its first-annual, mandatory accounting of data breaches from entities mandated by The Personal Information Protection and Electronic Documents Act.
Of Canadian banks, airlines and telecommunications firms obligated to report such breaches, there were 680 security hacks between Nov. 1, 2018 and Oct. 31, 2019 that exposed the personal information of more than 28 million people.
“Since reporting became mandatory, we’ve seen the number of data breach reports skyrocket. Some of those reports have involved well-known corporate names,” according to Privacy Commissioner Daniel Therrien.
“But we have also seen significant volumes coming from small- and medium-sized businesses.”
Well-known corporate names to suffer major breaches during this reporting period include Capital One, where a hacker got access to an estimated 100 million clients’ social insurance (security) numbers, names, addresses and credit records. Six million Canadians are believed at risk after this event.
And Québec-based Canadian credit union Desjardins also fell victim to a cyber breach–believed to be an inside job–that exposed personal data on nearly three million customers.
Of all the breaches logged by the Therrien, 147 were deemed “accidental disclosures” while the rest were rated “loss”, “theft” as well as 347 cases of “unauthorized access”.
According to Sem Ponnambalam, president of Xahive, an Ottawa-based cyber security firm, access to the tools required to hack into networks or personal computers as Revesz “Orcus” is alleged to facilitate is very accessible, even for amateurs.
“You don’t even have to go to the dark web. There’s even stuff on Youtube where it shows you all the codes, all you need to do, the type of portal you need…it literally walks you through the process,” Ponnambalam told TPM.
“And you don’t even have to be a techie or a hacker to do it, that’s how crazy things have become.”
Ponnambalam says computer programmers and hackers who engage in this activity generally divide into two groups; one she describes as “ethical hackers or “white hat”, the other with more nefarious intentions.
A lot of the time ethical hackers are hired to do penetration testing–however they are also hired to test the preparedness of individual employees,” she told TPM.
“The inverse is true too where ‘unethical hackers’ are generally criminals themselves or are criminals by association working for the highest bidder to use their skills for illegal activities.”