Series of Breaches Occurred Over a Two-Year Period
Data breaches at Canadian government agencies exposed the personal information of approximately 144,000 citizens over a two-year period, according to a report from the Canadian Broadcasting Corp.
The breaches, which had been unreported, only came to light in January when Conservative MP Dean Allison demanded that the country’s federal government produce a report for the Canadian House of Commons, according to the CBC. The 800-page report contained details about agency breaches in 2018 and 2019.
In the report, the government admitted that agencies responsible for national defense, healthcare, tax revenue, postal service and immigration all sustained data breaches or accidentally exposed citizen data. The CBC, which is owned by Canada’s federal government, also sustained a breach.
Many of these agencies failed to inform the Office of the Privacy Commissioner, the government report notes. Several officials told the CBC that this means the number of Canadian citizens affected by these breaches could be much larger.
“We have raised concerns about strong indications of systemic under-reporting of certain types of breaches across government,” Vito Pilieci, a spokesperson for the Office of the Privacy Commissioner, told the Information Security Media Group.
The new government report notes that the Canada Revenue Agency, which administers the country’s tax laws, sustained the most data breaches – with over 3,000 incidents that affected 60,000 Canadians between Jan. 1, 2018 and Dec. 10, 2019, the CBC reported. Health Canada, which administers healthcare in Canada, had 122 breaches that affected nearly 24,000 citizens.
The government report notes that at least some of the information exposed in breaches may have been misused. For instance, a data breach that affected Employment and Social Development Canada, which is responsible for social welfare programs, led to data theft as well
Several spokespersons for the affected agencies cited human error as a major cause for these data breaches.
For example, a breach at the Canada Revenue Agency occurred after a department employee accessed a hard drive containing personal information of nearly 12,000 individuals, CBC reports. And in one breach at Health Canada, an employee accidentally received an email containing personal information.
The news of numerous data breaches at government agencies comes despite Canada’s effort to make breach reporting mandatory under the Personal Information Protection and Electronic Documents Act.
Under that regulation, any organization that suffers certain types of data breaches is required to notify officials and alert victims “as soon as feasible.”
Pilieci notes that Canada’s Office of the Privacy Commissioner is working on amending the country’s privacy law.
“We believe there should be an explicit requirement for government institutions to report breaches of personal information to our office in a timely manner and to notify affected individuals in appropriate cases,” he says.
In November 2019, a year after the enactment of the privacy law, the nation’s privacy commissioner reported that more than 28 million Canadians had their data exposed in the 12-month period.