More than 28 million Canadians’ privacy has been affected by 680 reported breaches in the past year – six times the previous year’s volume – Canada’s privacy chief says.
That number is known due to mandatory breach reporting under the Personal Information Protection and Electronic Documents Act, the Office of the Privacy Commissioner of Canada said in a blog post.
The law applies to Canadian private-sector organizations that collect, use or disclose personal information in the course of a commercial activity.
Under mandatory breach notification starting in November 2018, such organizations must report breaches to the commissioner and those affected if they pose a real risk of significant harm to individuals.
“Since reporting became mandatory, we’ve seen the number of data breach reports skyrocket,” the blog said. “Some of those reports have involved well-known corporate names, but we have also seen significant volumes coming from small- and medium-sized businesses.”
The blog noted some breaches captured headlines. Those include finance company Desjardins where a breach affected 4.2 million people and the Capital One Financial data breach where six million Canadians’ personal information was compromised.
The commissioner said 58 per cent of breaches involved unauthorized access.
“We have seen a significant rise in reports of breaches affecting a small number of individuals – often just one and sometimes through a targeted, personalized attack,” the blog said. “This is the correct approach to reporting: there can be risk of significant harm even when only one person is affected by an incident.
“Employee snooping and social engineering hacks are key factors behind breaches resulting from unauthorized access. In fact, roughly one in four of the incidents reported to us involved social engineering attacks such as phishing and impersonation.”
And, the blog said, fraudsters and other bad actors are using increasingly sophisticated tactics to convince organizations’ employees that they are someone else. Such tactics employ psychological techniques, attempt multiple avenues to obtain personal information, use publicly available information and information disclosed in other privacy breaches.
Moreover, the blog said, more than 20% of reported data breaches involved accidental disclosure.
This would include situations where documents containing personal information are provided to the wrong individual (for example, because an incorrect email or postal address was used, or an email was sent without blind copying recipients) or are left behind accidentally,” the blog said.
Disclosure due to the loss of a computer, storage drive or actual paper files accounted for 12 per cent of the breach reports.
Breaches due to theft of documents, computers or computer components accounted for 8 per cent of the reports.
The blog made a series of recommendations for safeguarding systems and data including knowing what information is collected and where and how it is stored, doing breach risk assessments, education employees on risk and responsibilities, ensuring third-party service providers have proper safeguards and being aware of issues facing breaches in your industry or sector.
“Employee snooping and social engineering hacks are the key factors behind breaches resulting from unauthorized access,” Toronto privacy lawyer Amanda Branch said in a commentary.
“’Accidental disclosure’ occurred in instances where documents containing personal information were provided to the wrong individual or were left behind accidentally,” Branch said.