Thought leadership. threat analysis, news and alerts.
Data Breach Reports Skyrocket After Implementation of Canada’s Privacy Law
The recent report from the Office of the Privacy Commissioner of Canada showed that data breach reports in Canada skyrocketed after the implementation of the mandatory data breach reporting required under the country’s privacy law.
Mandatory Data Breach Reporting
On November 1, 2018, organizations across Canada became subject to the mandatory data breach reporting under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Prior to the mandatory data breach reporting, data breach reporting was done on a voluntary basis.
Organizations subject to PIPEDA are required to report to the Office of the Privacy Commissioner of Canada any data breaches that pose a real risk of significant harm to an individual or individuals. The law also requires that the affected individual or individuals should be notified and records of all data breaches should be kept within the organization.
The Numbers After One Year of Implementation
Last November 1st, one year after the implementation of the mandatory data breach reporting, the Office of the Privacy Commissioner of Canada reported that breach reporting “skyrocket”, increasing six times the volume that the office had received during the same period one year earlier. According to the Office of the Privacy Commissioner of Canada, from November 1, 2018 to October 31, 2019, a total of 680 breaches were reported to the office, affecting over 28 million Canadians.
The Office of the Privacy Commissioner of Canada said that while some of those reports involved well-known corporate names, a significant volume came from small and medium-sized businesses.
Fifty-eight percent or 397 of the reported breaches, which made up the majority of reported breaches, involved unauthorized access, the Office of the Privacy Commissioner of Canada said. Key factors behind breaches resulting from unauthorized access were social engineering hacks and malicious insiders.
According to the Office of the Privacy Commissioner of Canada, more than one in five or 147 data breaches reported over the past year involved accidental disclosure, which includes sending critical information to the wrong person as a result of incorrect email or postal address or accidental exposure.
The Office said roughly one in four of the reported breaches involved social engineering attacks such as phishing and impersonation. In phishing attacks, attackers send malicious emails containing malicious links or attachments. Once this malicious link or attachment is clicked, it installs malicious software (malware) on the email receiver’s computer.
In impersonation, the tactic used in business email compromise (BEC) scams, fraudsters convince employees at an organization that they are someone. In a BEC scam, a fraudster impersonates via a spoofed email, for instance, a CEO and convinces an employee of an organization to release a certain amount to a bank account controlled by the fraudster.
According to the Office of the Privacy Commissioner of Canada, it observed a growing impersonation scam in the telecommunications industry. In the tactic known as SIM swap, an impersonator convinces a customer service representative of a telecommunication company into believing that he or she is an account holder. Successfully convincing a customer service representative, enables the impersonator to make changes to the account, including the change of a phone number to be assigned to a new SIM card controlled by the impersonator, allowing the impersonator to access other accounts.
In related information, the U.S. Federal Bureau of Investigation (FBI) recently issued an alert to its partner organizations warning them about SIM swap. According to the FBI, between 2018 and 2019, SIM swap is the most common tactic used by malicious actors in bypassing the two-factor authentication (2FA), which resulted in draining the bank accounts of the victims and passwords and PINs changed.
Notable Reported Breaches
The reported breaches at the financial cooperative Desjardins and financial holding company Capital One are two of the notable breaches over the past year as these two breaches affected millions of Canadians. The Desjardins data breach, which was initially announced in June 2019, affected 4.2 million Canadians; while the Capital One data breach, which was initially announced in July 2019, affected 6 million Canadians.
Desjardins attributed the data breach to one suspect, a former employee; while Capital One attributed the data breach to a “specific configuration vulnerability” in its public cloud infrastructure – a vulnerability that was exploited by one suspect, a former employee of the public cloud infrastructure, the Amazon Web Services (AWS).
Amazon, for its part, said in a statement, “AWS was not compromised in any way and functioned as designed.” The company added that the Capital One data breach, which also affected 100 million individuals in the United States, wasn’t a result of a vulnerability in the cloud server itself, but by a misconfiguration of firewall settings on a web application, managed on the cloud server by Capital One.
Preventive and Mitigating Measures Against Data Breaches
The Office of the Privacy Commissioner of Canada offers the following cyber security measures in order to prevent or mitigate the effects of a data breach:
NASA Data Breach May Have Put Personnel Information at Risk
In December 2018, news broke of a data breachat NASA. This is just one of the many cybersecurity issues to strike large organizations and businesses in recent months, including Facebook, Marriott and more.
It’s believed the attack may have compromised personnel data, potentially making Social Security numbers vulnerable. The breach was first discovered in October, in servers containing personally-identifiable details of NASA staff, though it was kept from staff for nearly two months.
Obviously, this is a major problem that no doubt inspired dread in anyone who believed they may have been affected. Sadly, it’s an ongoing risk when hackers continue to utilize ever-more sophisticated techniques to bring networks down or simply steal valuable information.
At the time of writing, the extent of the breach was still unknown but was assumed to affect both current and former NASA personnel (including those connected to NASA as far back as 2006).
However, such a breach may not be a surprise to anyone following NASA closely, as its cybersecurity has been flagged for its flaws in the past. Its Office of Inspector General had indicated there were problems with NASA’s entire IT management and security processes overall — something that no company of any size can afford to overlook.
The Importance of Effective Cybersecurity
For something as vast and well-known as NASA, cutting-edge security is essential to both defend against and deter potential attacks. Not only is the data of personnel under threat, but NASA is involved in a large number of important projects, and any interference, delays or disruptions could have significant repercussions.
An audit conducted at NASA’s Security Operations Center (based in California) revealed that it was underperforming in multiple ways. A reportfrom the Office of Inspector General concluded that the Security Operations Center had ‘fallen short’ of its purpose: to act as the driving force behind NASA’s cybersecurity efforts.
Lapses in management can affect cybersecurity in every company: a proper structure must be established to address potential risks, ways to manage attacks when they happen and strategies for handling the aftermath.
The NASA breach demonstrates that even technological powerhouses, responsible for some of the most mind-bending feats in history, may still fall prey to cyber-attacks.
Common Cybersecurity Pitfalls
It’s vital that your business or organization takes steps to avoid common pitfalls that essentially open the door for hackers to step into your network and help themselves to almost anything they like. What are these dangers and how do you address them?
A lack of education
Sadly, human error is one of the biggest culprits in cybersecurity flaws. While we might all like to believe we’re smart enough to stay safe online, it’s easy to make small mistakes with big consequences.
Weak passwords increase a business’s risk of attack, and all employees should be made aware of this. Likewise, sharing sensitive data with others and falling for common phishing scams can all reduce your company’s security.
This is why comprehensive education is so essential today. Even if you have intelligent staff who know their way around all of your tools and software, they could still make one tiny error that brings your entire network down.
Data breaches can chase existing and prospective customers away to competitors offering greater stability. Research shows consumers expect companies to keep their details safe, and 70 percent would walk awayfrom a brand if their finances were affected by a data breach the business should have prevented.
Undertake expert training for all staff, at every level, to minimize cybersecurity dangers. When your employees know how to create strong passwords, keep sensitive data private and spot phishing risks, you can offer customers a higher standard of protection against threats.
Depending on outdated security
Don’t leave your security software outdated — make sure you always update to the latest version and take full advantage of the defenses it offers.
While it can be easy to assume any form of firewalls and other programs designed to keep you safe will repel attacks, that’s not the case. Cybercriminals are well-versed in tiny flaws and know how to exploit them to gain access to systems, no matter how minor such gaps may seem.
If you know your security is weaker than it should be and hackers could find an obvious way into your network, take steps to address it immediately. You can’t depend on outdated software to stop the most up-to-date attacks.
Physical security oversights
Not only is effective cybersecurity fundamental to protect your employees’ and customers’ data, but physical security is just as important.
Your business site must be equipped with the best protection you can afford. Surveillance cameras, alarms, sensors, smart locks — utilize anything and everything available to keep your workplace safe from unwanted visitors.
Why? Because apart from the obvious problems related to theft, any laptops, USB sticks, hard drives or devices stolen from your office could all contain invaluable data. Thieves may either use this themselves or sell it on to cybercriminals set to target your personnel or clients.
Certain members of staff could seize an opportunity to steal sensitive data from your system and pass it on to others.
This may be for profit or out of a malicious aim to disrupt your operations, perhaps if they feel they have been mistreated or are due to leave the company. Whatever the circumstances, anyone with access to important information could cause major problems for your business if left unchecked.
While such individuals can cover their tracks and avoid suspicion for a long time, make sure you stay vigilant. Encourage employees to be aware of potential risks posed by colleagues and understand how important it is to report any suspicions they have.
Looking to learn more about how effective cybersecurity can protect your business from hackers in 2019? Want to work with a team of cybersecurity experts with the tools, training and techniques to help your company’s system stay secure?
Just reach out and get in touch!
Gov’t of Canada Moves Closer to Implementing Mandatory Data Breach Reporting by Publishing the Proposed “Breach of Security Safeguards Regulations”
The Government of Canada published last Sept. 2 the proposed “Breach of Security Safeguards Regulations” in the Canada Gazette. The official publication signals the approaching implementation of the mandatory data breach reporting under Canada’s Digital Privacy Act.
The Digital Privacy Act, a law that amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), was passed by the Canadian Parliament on June 18, 2015. While it has been over two years since the passage of the Act, the law is still not in force in the absence of “Regulations” that lays out the specific details of the law.
Digital Privacy Act
Under the Digital Privacy Act, every Canadian organization is required to do the following in case of a data breach:
Proposed Breach of Security Safeguards Regulations
The proposed Breach of Security Safeguards Regulations specifically laid out the specific steps on how to notify the Privacy Commissioner, the affected individuals and the particulars of maintaining a record of the data breach.
Under the proposed Breach of Security Safeguards Regulations, an organization affected by the data breach must notify the Privacy Commissioner in writing and provide the following details:
The proposed Breach of Security Safeguards Regulations also requires an organization to inform the affected individuals directly via by email, letter, telephone or in person. Indirect notice via a message posted on the organization’s website for at least 90 days or advertisement that’s likely to reach the affected individuals is an option under the proposed Breach of Security Safeguards Regulations in the following circumstances:
Under the proposal, notice to individuals – whether direct or indirect notice –must contain the following information:
The proposed Breach of Security Safeguards Regulations further requires an organization to maintain a record of every data breach for a period of 24 months. Under the proposed Regulations, it isn’t clear when it will come into effect. Both the Digital Privacy Act and Breach of Security Safeguards Regulations will, however, take effect on the same day.
Interested persons have until October 2, 2017 to give feedback regarding the proposed Regulations.
Benefits of Mandatory Data Breach Reporting and Mandatory Data Breach Record-Keeping
The enforcements of the Digital Privacy Act and Breach of Security Safeguards Regulations or the mandatory data breach reporting and mandatory data breach record-keeping are expected to bring about the following benefits:
1. Prevent Identity Fraud
Mandatory data breach reporting is expected to “contribute positively to the privacy and security of individuals” according to Charles Taillefer, Director for Innovation, Science and Economic Development Canada. He said, “Mandatory breach reporting allows individuals who are affected by a breach to take immediate action to protect themselves against further compromise that may lead to fraud, identity theft, humiliation, loss of employment or other forms of significant harm.”
Based on the 2015 Identity Fraud Study conducted by Javelin Strategy and Research, two-thirds of individuals who were impacted by a data breach become victims of identity theft or fraud. The research group defines identity fraud as the “unauthorized use of another person’s personal information to achieve illicit financial gain”. Examples of identity fraud include using a stolen payment card account to opening new accounts, making a fraudulent purchase or to taking control of existing accounts.
2. Help Organizations Improve Data Security
According to the Global Internet Report 2016 (PDF) by the Internet Society, mandatory data breach reporting increases transparency about data breaches – what are likely targets, what data is taken, how the breaches are carried out, what cyber security works and what doesn’t.
“Sharing information responsibly has a number of benefits – it could help organisations globally improve their data security, help policymakers improve policies and regulators pursue attackers, and help the data security industry produce better solutions,” Internet Society said. “All this can help protect the data ecosystem as a whole.”
3. Motivate Organizations to Track and Analyze Data Breaches
According to the Director for Innovation, Science and Economic Development Canada, the requirement to maintain a record for every data breach for the period of two years will “incentivize organizations to track and analyze the impact of all data security incidents”.
According to EY’s 19th Global Information Security Survey (PDF), 62% of organizations wouldn’t increase their cyber security spending after experiencing a breach that didn’t appear to do any harm.
“Cyber criminals often make ‘test attacks,’ lie dormant after a breach, or use a breach as a diversionary tactic to throw organizations off the trail of what they are really up to,” EY said. “Organizations should assume that harm has been done every time there is an attack, and if they have not found it, they should consider that they have not found it yet.”
Steve E. Driz, I.S.P., ITCP