A major incident wiped data on Web Hosting Canada servers

Canadian web hosting company, Web Hosting Canada (WHC) reported an incident that severely disrupted operations on Saturday. WHC's CEO description of the incident points to a disgruntled third party.

WHC, boasting over 60,000 clients, announced it ran into a major incident on Saturday. The availability of web hosting and reseller hosting accounts on WHC systems in Montreal datacenter were affected.

“We currently have all hands on deck working on the problem but the situation is serious,” the company claims. CyberNews tried to contact the company, however no answers were provided so far.

Without authorization, [the individual] initiated server reimaging on some of our backup servers, then on some of our production servers,

Emil Falcon.

WHC is restoring data on four servers. However, five WHC servers have had their backups partially or completely destroyed with company admitting information hosted there has ‘low likelihood of data recovery.’

“Our initial attempt to repair the data on our backup servers has failed and at this point the likelihood of successfully restoring account data from these servers is very low,” WHC wrote in an update of the incident.

Since the incident was reported on a weekend day and backup servers were damaged, this might point to the incident being a malicious attack.

Hackers tend to strike on weekends and holidays, since majority of the IT employees are either on leave or home, hindering fast response to an attack. Even if some personnel is on premise, it’s highly likely there are less people working during the off days.

Many major attacks happened in a similar fashion: Kaseya was recently hit just begore July 4 celebration, Solarwinds hack was carried out just before Christmas last year and in 2013 hackers breached Target data centers just before Thanksgiving.

The destruction of backup servers is a technique employed by ransomware cartels for use extortion. Crime cartels destroy backups and hold the stolen information hostage, demanding owners to pay if they want to get it back.

According to Dave Hatter, a cybersecurity expert at IntrustIT, the way WHC covered the incident does resemble a malicious attack.

While I suppose it could be something else, it looks like a ransomware attack to me,

Dave Hatter.

"While I suppose it could be something else, it looks like a ransomware attack to me," Hatter wrote CyberNews in an email.

At the time of writing this article, WHC did not specify weather the incident was caused by an attack, system malfunction or whether something has caused physical damage to the affected servers. Recent weather condition, however, do not point to any extremes in Montreal on Saturday.

Since Web Hosting Canada did not provide any information on the cause of the incident, angered clients have been speculating in social media with theories ranging from electrical damage to a rogue former employee.

Unauthorized access

After the article was published, WHC's founder and CEO, Emil Falcon, released a blog post explaining the situation.

According to him, an individual with a third-party service provider used their privileged account access to connect to one of WHC's datacenter's management portals.

"Without authorization, [the individual] initiated server reimaging on some of our backup servers, then on some of our production servers," Falcon writes.

Production and backup servers were damaged due to the incident, with many web hosting and reseller hosting accounts being affected. Some Web Hosting Canada clients lost their data permanently.

The article was updated on 31 August.

More from CyberNews:

ULA email leak: internal emails allege smear campaign against SpaceX and Elon Musk

How Solarpunk and its radical optimism is changing the world

Retros of the lost age: vintage computers from the East

Microsoft warns thousands of cloud customers of exposed databases

Caught in a crossfire: how your data ends up on criminal forums

Subscribe to our newsletter