User:Jecsea/sandbox



Data breach in Canada refers to instances of stolen digital information without the consent or knowledge of the owner in Canada. Stolen digital information "may involve sensitive, proprietary, or confidential information such as credit card numbers, customer data, trade secrets, or matters of national security."

Data breach is on the rise in Canada with an average cost to Canadian companies being $6.11 million per breach in the 2017 fiscal year. This number represents a 5.5% increase when compared to 2016 studies, and a nearly 50% higher difference compared to the 2017 global average of US$3.8 million. 48% of the breaches are attributed to malicious or criminal attacks, 30% are human error, while 22% are system glitches.

Regulation
Canada is governed by federal private-sector law under the Personal Information Protection and Electronic Documents Act ("PIPEDA") which is in place to safeguard the personal information of Canadians.

Provincial Law
In addition to Federal regulation, several Canadian provinces have private sector provincial law that works in conjunction with federal law.

Source: Canadian Privacy Law

Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act ("PIPEDA") refers to the federal governing regulations of the private sector in Canada relating to data privacy. The PIPEDA bill received royal assent and was enacted on April 13th, 2000. The bill serves to protect consumer data and provide regulatory frameworks for the protection, collection, use, and disclosure of such data.

In 2015 the Canadian Government set forth new provisions to PIPEDA aiming to protect individuals from data breaches through Bill S-4 the "Digital Privacy Act”. These new changes are introduced in Division 1.1 of PIPEDA and concern mandatory data breach reporting and record-keeping regulations. In April 2018 the Canada Gazette released the finalized Act, and on November 1st, 2018, the changes to Bill S-4 were officially put into effect."

PIPEDA defines data breach as "the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards."

In accordance with PIPEDA, organizations whose data has been compromised must strictly adhere to reporting and record-keeping standards outlined in the Act in an effort to best inform potentially affected individuals with respect to the nature of the breach. The Act also requires affected organizations to respond to breaches in timely, efficient, and compliant means.

Organizations are expected to follow a set of guidelines for reporting breaches, which include:

'''Report to Commissioner '''


 * 1) a description of the circumstances of the breach and, if known, the cause;
 * 2) the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;
 * 3) a description of the personal information that is the subject of the breach to the extent that the information is known;
 * 4) the number of individuals affected by the breach or, if unknown, the approximate number;
 * 5) a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
 * 6) a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act; and
 * 7) the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

'''Notification to Affected Individual '''

"A notification provided by an organization, in accordance with subsection 10.1(3) of the Act, to an affected individual with respect to a breach of security safeguards must contain" :


 * 1) a description of the circumstances of the breach;
 * 2) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
 * 3) a description of the personal information that is the subject of the breach to the extent that the information is known;
 * 4) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;
 * 5) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and
 * 6) contact information that the affected individual can use to obtain further information about the breach.

As outlined in Direct notification (4), affected individuals must be given direct notification of the breach “in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances." Indirect notification 5(1) may be given when:
 * 1) Direct notification would be likely to cause further harm to the affected individual;
 * 2) Direct notification would be likely to cause undue hardship for the organization; or
 * 3) The organization does not have contact information for the affected individual.

'''Record-keeping requirements '''

Under Breach of Security Safeguards Regulations subsection 6(1), "an organization must maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred."

Digital Privacy Act "Bill S-4"
The Digital Privacy Act, also known as Bill S-4, is an Act which was assented to on June 18, 2015, and serves to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) to provide better data protection and reporting standards for Canadians.

The amendments made to PIPEDA through the Digital Privacy Act expand on what constitutes "valid consent for the collection, use, or disclosure of personal information." The Act also widens the scope of several definitions and exemptions, and introduces mandatory data breach notification regulations.

Ponemon Institute
The Ponemon Institute is a research organization which "conducts independant research on consumer trust, privacy, data protection, and emerging data security technologies."

The release of the 2018 Ponemon Institute Cost of a Data Breach study revealed Canada to have the second highest per capita cost at $202, while having the highest direct cost at $81 per record. The Ponemon Institute defines direct costs as "the expense outlay to accomplish a given activity such as engaging forensic experts, hiring a law firm, or offering victims identity protection services."

Risk Based Security
Risk Based Security ("RBS") is an IT solutions and security consulting firm based in the United States. In August 2018, RBS released a mid-year data breach report which provides a global analysis of cyber trends and security risks as of mid-2018.

According to Risk Based Security's "Exposed Records by Country", Canada had a total of 48 breaches, "resulting in 12,551,574 records exposed, with an average of 261,491 records exposed per breach."

Scalar Decisions
Commissioned by Canadian IT solutions firm Scalar Decisions, the International Data Corporation ("IDC") conducted a Cyber Security Readiness of Canadian Organizations report which determined Canadian organizations to be unprepared in the event of a data breach, where "the consequences of being unprepared for a breach now greatly outweigh the costs of a well-managed security program."

Global Alliance of Data-Driven Marketing Associations
The Global Alliance of Data-Driven Marketing Associations ("GDMA") commissioned Foresight Factory, a company specialising in global consumer trends and data reports, to conduct a report in conjunction with Argentina, Australia, Canada, France, Germany, Netherlands, Singapore, Spain, UK and the US, which assessed global customer perspective on data privacy.

The study determined that there is a rising trend across global markets in which consumers are becoming increasingly concerned about their data privacy, with 77% of Canadian survey respondents falling under this category.

Bank of Montreal
In May 2018, Bank of Montreal ("BMO") revealed to customers through a public statement that personal and financial data had been breached from outside of Canada. BMO assured customers that relevant steps and procedures had been followed to secure customer data, and that both authorities and affected customers were in the process of being notified. It is believed approximately 50,000 customers were affected.

Following the breach, media outlets across Canada were contacted and told BMO must pay a $1-million ransom by 11:59PM of the same day, otherwise all personal and financial data would be leaked.

In June 2018, a class-action lawsuit was filed against BMO by law firms Siskinds LLP and JSS Barristers on behalf of victims of the breach. It was alleged in the lawsuit that BMO "failed to establish robust security measures to protect clients' sensitive information." The lawsuit is still pending certification by a judge.

Bell Canada
BCE Inc. owned Bell Canada has faced several data breaches. In February 2014, more than 22,000 of Bell Canada's small-business customers had passwords and usernames stolen, including the details of five verified and active credit cards. A hacker group named NullCrew took responsibility for the attack and claimed they gained access to customer data "through a SQL (Structured Query Language) injection attack, which exploits weaknesses in a programming language designed to retrieve information from a database."

In 2017, 1.9 million customers had their email addresses accessed, while 1,700 names and phone numbers were retrieved." Anonymous threats posted online threatened to release a significant portion of the data if Bell did not cooperate; however, no further information was leaked.

It was revealed that Bell was aware of the breach in the days leading up to the online threat but refrained from notifying affected customers until they had a better understanding of the breadth of the attack. Bell notified the commissioner's office of the breach on May 10, and proceeded to notify all affected customer's of the situation.

8 months following the 2017 incident, in January 2018, Bell was again the target of a data breach which targeted 100,000 customer names and email addresses. In response to the breach, Bell notified the Privacy Commissioner and the Royal Canadian Mounted Police ("RCMP") who launched an investigation into the attack.

Uber
In November 2017, ridesharing service Uber released a statement informing the public that in late 2016 "two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service." The breach compromised information such as driver's license numbers, email addresses, and phone numbers of users, and affected an estimated 57 million people , including 815,000 Canadian users.

Uber was alleged to have concealed the breach from both the public and relevant authorities for over one year, and after being prompted by their legal team and a third party forensic firm in Spring 2017, they made the breach public. After the release of Uber's official statement regarding the breach in Spring 2017, Uber was met with criticism as it was revealed that the company paid the individuals responsible for the breach "USD$100,000 to destroy the stolen information."

In response to the attack, Uber took immediate steps to secure the breach, identify the individuals responsible, and strengthen security measures to ensure cloud-based storage was protected.

On February 28, 2018, the Privacy Commissioner of Alberta ruled that Uber must notify affected users located in Alberta, Canada, and imposed a 10-day deadline for Uber to notify. Uber challenged the ruling in court arguing they did not notify Albertans because they did not view the breach as being a significant harm to users. At the time of the attack, Uber was not legally bound under Canadian privacy laws (PIPEDA) to notify affected individuals, though in November 2018 privacy rules were amended to include a mandatory breach notification regulation.

In September 2018, Uber was fined US$148 million by a United States judge after ruling the company was negligent in failing to report the breach to proper authorities and violated state data breach notification laws by intentionally concealing the attack. The settlement was reached with all 50 U.S states and requires Uber "to adopt model data breach notification and data security practices and a corporate integrity program for employees to report unethical behavior." Uber is also required to retain the services of "an independent third party to assess its data security practices." This fine follows an early 2016 ruling which required Uber to pay a USD$20,000 fine after waiting five months to notify affected individuals following a breach in 2014.

Facebook
In a blog post published on September 28, 2018, Facebook alerted users that they detected a security breach which affected approximately 50 million people. According to Guy Rosen, Facebook's VP of Product Management, hackers exploited a vulnerability in one of Facebook's profile features which allowed the hackers access to private information. Rosen followed by informing users that Facebook had "fixed the vulnerability and informed law enforcement", as well as resetting access tokens of 90 million users.

In an interview with reporters, Facebook CEO Mark Zuckerberg said the "attackers would have had the ability to view private messages or post on someone's account, but there's no sign that they did."

On April 4th, 2018, Mark Zuckerberg issued a public apology after it was revealed Facebook had shared millions of user's information with political consulting firm, Cambridge Analytica. Facebook "estimates 622,161 Canadians had their data improperly shared with Cambridge Analytica through apps", while more than 87 million users worldwide were affected. In a congressional hearing held by the United States House Energy and Commerce Committee, Zuckerberg told lawmakers that Facebook users "likes", names, and other personal information were shared with the political consulting firm.

Ashley Madison
On July 19, 2015, it was revealed that Toronto-based Avid Life Media, the parent company of dating site Ashley Madison, had their databases compromised by hacking group The Impact Team. The hacking group claimed to have retrieved the personal and financial details of more than 37 million users, including "maps of internal company servers, employee network account information, company bank account data and salary information" - all of which was published online on August 18, 2015.

The Impact Team justified releasing the stolen information, saying Ashley Madison lied to customers about a $19 service which claims to delete the profile information of users. According to The Impact Team, the information was released to prove that Ashley Madison did not truly delete user information.

In response to the attack, multiple local and international law enforcement agencies including the Toronto Police Service, FBI, Department of justice, Royal Canadian Mounted Police, and the Ontario Provincial Police began joint investigations into the breach. In 2016 Canada's privacy commissioner released a report undertaken by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner which determined that "Avid Life Media broke multiple privacy laws in both countries." The report claimed Ashley Madison was not offering the level of security and privacy they advertised to users, and used fake security award badges to lure customers. Following this, Avid Life Media rebranded as Ruby Corp. and dropped the "Life is Short. Have an Affair" tagline.

In July 2017, Ruby Corp. reached a proposed settlement in response to a class action lawsuit filed against them in 2015 alleging Ashley Madison did not use adequate security measures to protect user's information. Ruby Corp. agreed to pay a USD$11.2 million contribution to a settlement fund intended to provide payments to individuals who submit valid claims as part of the lawsuit.

Air Canada
In August 2018, Air Canada confirmed their mobile app had suffered a data breach between August 22nd-24th which left as many as 20,000 customer's information vulnerable to attack. In a notice published to their website, Air Canada advised some 1.7 million customers to reset their passwords and monitor accounts for any unusual activity.

The data breach was isolated to the mobile app and contained customer names and contact information, and potentially NEXUS, passport, Known Traveller, and Aeroplan numbers. No financial information was retrieved.

The notice published by Air Canada also highlighted the steps taken in response to the data breach. In addition to taking immediate action, the company said it blocked access to the mobile app for all 1.7 million accounts until customers changed their passwords, as well as contacting as many known affected customers in a timely manner.

Equifax
In July 2017, global credit reporting agency Equifax alerted customers to a cybersecurity breach which affected 147 million customers worldwide. In a statement released by Equifax Canada on September 7, 2017, it was announced the consumer credit reporting agency had been the target of a cyber attack which affected 19,670 Canadian consumers. In the statement, Equifax reported learning of the attack on July 29, 2017, and took immediate steps to secure the breach and conduct a forensic review. Canadian consumers had personal information compromised including names, addresses, Social Insurance Numbers, and credit card details, as well as login credentials such as usernames, passwords, and secret question/answers.

In response to the incident, Equifax offered Canadian customers 12 months of free credit monitoring and theft protection, and in 2018 extended this offer for a further 12 months. Several lawsuits were filed in response to the attack which are currently proceeding through both Canadian and international court systems.

Marriott
In an official statement published on November 30th, 2018, global hotel chain, Marriott, announced a data breach that affected up to 500 million guests globally after it was found their Starwood guest reservation database had been compromised since 2014.

In the statement, Marriott revealed they had been alerted to an unfamiliar request for access to the Starwood database on September 8, 2018, and proceeded to engage the services of security experts who then determined the extent of the attack.

According to Marriott, approximately 327 million guests had personal information accessed which included "some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences." Marriott said some guests may have also had credit card information compromised, though Marriott was unable to determine this as fact at the time of the statement.

In accordance with federal privacy regulation, Marriott began alerting relevant regulatory authorities and set up several avenues for guest support, including a dedicated website and call centre, email notification, and free one-year enrolment to WebWatcher, an internet monitoring site that alerts users to potentially unsafe websites.

The 2018 Marriott attack ranks as the second largest data breach in corporate history, falling under the Yahoo! incident in 2013 which affected some 3 billion customers.