In the last 12 months, the personal information of approximately 28 million Canadians was affected by corporate hacks or mismanagement, according to the Office of the Privacy Commissioner of Canada (OPC).
The assessment was issued last week after the first full year’s worth of data supplied by private sector firms that had to report breaches of security controls was analyzed. Until new regulations to the Personal Information Protection and Privacy Act (PIPEDA) came into effect Nov. 1, 2018, companies only had to voluntarily report breaches to the OPC.
That number of impacted victims includes the huge breaches at Quebec-based Desjardins Group’s credit unions, and the roughly 6 million Canadian’s victimized by the breach at U.S.-based credit card issuer Capital One.
In actuality, the OPC assessment is about 2 million short. On Friday, the day after the assessment was released, Desjardins said data on all 4.2 million of its credit union customers was affected in the June data breach it suffered. Initially, it said only 2.7 million individuals were affected.
In those first 12 months – which ended on October 31 – the OPC received 680 breach reports; six times the volume it got from voluntary disclosure. “It’s a staggering increase and higher than we had anticipated,” the privacy commissioner’s office said in a blog Thursday.
In an interview, deputy privacy commissioner Brent Homan said he found the numbers “quite alarming” considering Canada’s population is 37 million.
“We see these as big numbers, they are bigger than we anticipated, but at the same time it could be the tip of the iceberg … It could be an indication of a larger problem than has been reported.
“We are really looking at businesses to turn their attention to protecting customers’ information so they can maintain and support trust and faith in their industries.”
Asked if the numbers suggest organizations aren’t doing enough, Homan said the OPC knows the private sector is trying.
“One of the biggest things we want to send a message out is that it’s really important for the top brass in any organization to walk the talk and make breach preparedness a priority. Build awareness in the organization, train employees to follow security and privacy procedures and to have robust [login] authentication procedures in place. About 60 per cent of breaches were related to non-authorized access.”
The reported incidents break down like this: 397 (58 per cent) of the 680 incidents were due to “unauthorized access” (data breaches and employee snooping), 147 were due to “accidental disclosure” (including information sent to the wrong email address, or to multiple people by BCC instead of only one person), 82 incidents were due to “loss” (presumably including losses of laptops, hard drives and USB devices), and 54 were due to theft.
The blog also issues advice to companies on avoiding data breaches to be alert, including industry trends. For example, it notes in the telecom industry, attackers committing fraud by impersonating real customers and persuading customer service agents they are the real account holder in part using publicly available information, information from other breaches, and social engineering techniques. The goal is to change account information, such as a phone number, and have it be assigned to a new SIM card, ultimately allowing them to access other accounts. Fraudsters are targeting one carrier, the blog says, and, as the company addresses the issue, the attackers move on to another company.
RELATED: PIPEDA’s updates a step in the right direction, still lack clarity, says channel community
The new legislation obliges companies that come under PIPEDA to report to the OPC and victims breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals (shortened by privacy pros to RRoSH). They must also keep a record of every breach of security controls whether it hits the RRoSH threshold or not.
One question the private sector has wrestled with is what is a ‘real risk of significant harm?’ For example, if only an email address is stolen, would that cause a person significant harm? A related question is, should a company give a wide interpretation just to be on the safe side?
Apparently, the answer to the last question is, yes. The blog notes the commission has seen a significant rise in reports of breaches affecting a small number of individuals – often just one and sometimes through a targeted, personalized attack. “This is the correct approach to reporting,” says the OPC: “There can be risk of significant harm even when only one person is affected by an incident.”
The blog also offers this advice to organizations on how to lower the risk of being hit:
- Know what personal information you have, where it is, and what you are doing with it. When and where do you collect personal information? Where does that information go? Who can access it, and what do they do with it? You must understand your data before you can protect it.
- Know your vulnerabilities. Conduct risk and vulnerability assessments and/or penetration tests within your organization to ensure that threats to privacy are identified. Don’t just focus on technical vulnerabilities, though. Are third parties collecting personal information on your behalf without appropriate safeguards? Are your employees aware of risks and their privacy responsibilities? Over the last year, the OPC has seen each of these scenarios lead to a breach. Identify your organizations’ weak points before a breach identifies them for you.
- Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association and other sources of industry news.