Incident at Heartland Farm Mutual could have exposed sensitive data
A security breach at a Canadian insurance firm may have exposed the personal data of clients, the company warns.
Heartland Farm Mutual, which provides insurance for agricultural businesses across Canada, says a “small number” of personal records may have been accessed by an unknown party during the incident.
The company says an unauthorized actor accessed an employee’s email inbox, which contained personal details of customers. It hasn’t confirmed when the breach took place.
A statement seen by The Daily Swig reads: “Our investigation revealed that the incident may have exposed a small number of individuals’ personal information.
“We want to stress that we are not aware of any misuse of this information, and we have notified any individual who may have been directly impacted and offered them to cover the cost of credit monitoring for 12 months.”
The company says it quickly blocked the unauthorized access and employed an external cybersecurity team to investigate.
“Protecting personal information is a top priority for us,” the statement reads.
“Immediately upon learning of the incident, we took a number of steps to block the unauthorized access and secure the information.
“We quickly engaged an external team of cyber security experts to contain and investigate the incident, and we engaged all relevant authorities.
“We apologize for any inconvenience this may have caused. Heartland Farm Mutual is committed to further improving its security in order to prevent this from happening again.”
YOU MIGHT LIKE Canada plans revamp of its data privacy law
In 2018, it became mandatory for businesses in Canada to report instances of a data breach under the Personal Information Protection and Electronic Documents Act (PIPEDA).
Previous to the PIPEDA coming into force, reporting incidents to the Privacy Commissioner of Canada was voluntary.
For organizations subject to the PIPEDA, it is now compulsory to report any breaches that could cause significant harm to individuals. Victims also must be notified, and all data breaches within the organization must be recorded.