More than 28 million Canadians impacted by security incidents, report states

UPDATE (Nov 7; 11:00 UTC) Data breach reporting in Canada has skyrocketed.

In a blog post released late last week by the nation’s information ombudsman, the Office of the Privacy Commissioner of Canada (OPC), data breaches at organizations throughout the country are said to have increased six-fold since 2018.

“Some of those reports have involved well-known corporate names, but we have also seen significant volumes coming from small- and medium-sized businesses,” the OPC said.

According to the post, the OPC received a total of 680 data breach reports in the 12 months from November 1, 2018 – six times the volume received during the same period a year earlier.

This sharp increase is likely due, in part, to the new mandatory data breach reporting requirements set under Canada’s federal privacy law.

The Personal Information Protection and Electronic Documents Act (PIPEDA) was updated last year, placing more onus on businesses to notify the OPC of any security breaches that result in consumers’ data being compromised.

PIPEDA, much like the EU’s General Data Protection Regulation (GDPR), now requires all organizations to report to the Privacy Commission of Canada if a security incident carries “a real risk of significant harm” to consumers.

Affected individuals should also be notified, and failing to do so can result of fines up to C$100,000 (US$76,000). Penalties are issued by the Attorney General of Canada and are so far rare. 

Previously, data breach reporting to the OPC was done on a voluntarily basis.


Check out the latest data breach news from The Daily Swig


Some have questioned whether the new rules go far enough, saying that there remains little incentive on business to apply proactive defense measures.

“Commissioner Therrien has been calling for law reform that provides for enforcement mechanisms that result in quick and effective remedies for individuals, and broad and ongoing compliance by organizations and institutions,” an OPC spokesperson told The Daily Swig.

“Given the interests at stake for individual Canadians, the Commissioner's view is that the starting point for modernizing Canada's privacy framework is to give it a rights-based foundation.”

It would appear that improvements in cyber hygiene are being made, regardless.

Security incidents at major corporations, such as Desjardins and Capital One, the latter of which affected six million Canadians, are expected to have additionally influenced increased reporting, with the number of Canadians impacted by a data breach now “well over” 28 million, according to the OPC.

“Don’t just focus on technical vulnerabilities,” the OPC said.

“Are third parties collecting personal information on your behalf without appropriate safeguards? Are your employees aware of risks and their privacy responsibilities?

“Over the last year the OPC has seen each of these scenarios lead to a breach.”

Drilling into the data

Unauthorized access accounted for the majority (58%) of data breaches reported, and one in five data breaches were the result of an accidental disclosure – the result of a document being left behind, or an email to the wrong individual, the OPC said. Theft accounted for 8% of the reports.

“Employee snooping and social engineering hacks are key factors behind breaches resulting from unauthorized access,” the OPC added.

“In fact, roughly one in four of the incidents reported to us involved social engineering attacks such as phishing and impersonation.”

The OPC is currently completing a record review exercise, as organizations under PIPEDA must now keep track of every security incident that occurs in their business for a minimum of two years.

“We visited several companies across Canada to verify whether they have kept records in accordance with the new requirements,” the OPC spokesperson said.

“The full analyses of the data collected in underway.”

It is likely that the exercise will help determine how cybersecurity compliance can be improved, and help produce tools for business to create more advanced cyber postures.

“Through both the exercise and the breach reports we have received to date, it has become clear that breaches remain an ongoing threat for all organizations,” the OPC said.

“Businesses need to be aware of the myriad of potential risks and tackle them through a combination of technology, training, policies and processes.”


This article has been updated with comment from the Office of the Privacy Commissioner of Canada.


YOU MIGHT ALSO LIKE Canada brings in new privacy rules – political parties excluded