Canada doesn’t figure large in the number of data breaches reported around the world in 2014, particularly compared to the 109 million records stolen from Home Depot in the U.S.
But a database of publicly-reported breaches last year released last week by security vendor Gemalto shows there were more than most people count: At least 57 incidents in which 276,789 records were taken from governments, banks, hospitals, according to the Breach Index — and that could be considerably below the number actually stolen because a number organizations haven’t made public what was taken.
“This is probably under-representing the amount of breaches” in Canada, observed Avner Levin, director of Ryerson University’s Privacy and Cyber Crime Institute, in part because many organizations don’t have to report them. That will change when proposed mandatory reporting legislation for organizations covered under federal law is passed.
“Canadian organizations should not be complacent” about intrusions Levin added, “and I don’t think the internal folk who are working on this are.”
But, he added, IT pros in organizations don’t have to publicly report a breach may have a more difficult time talking about security with executives.
According to the index, the biggest known Canadian data loss in 2014 was 123,000 records in September by Toronto-based marketing firm called The Email Company, which does email campaigns for clients. In this case the compromise was of email addresses of donors and supporters supplied by the Heart and Stroke Foundation of Canada.
Jane-Diane Fraser, the foundation’s communications manager, said in an interview that the breach occurred after the contractor mistakenly placed the list on an insecure server. The files were later removed and secured.
Other than names and email addresses no other personal information was on the list, she said.
In a message to those on the list, foundation CEO David Sculthorpe said “it’s important to be clear this incident did not occur as a result of a security breach, but rather human error on the part of the email company.”
Asked for comment, The Email Company CEO and co-founder Jeff Ginsberg said he’d have to get permission from the foundation before being interviewed.
A number of organizations haven’t made public what was taken, so the Breach Index database reports them as “unknown.” For example, the federal government hasn’t made known the number of records stolen in the highly-publicized National Research Council break-in. Nor has it released numbers for breaches at Transport Canada, Foreign Affairs and Employment and Social Development.
Some of the losses –like the NRC’s — are described as “existential data,” which Gemalto says means either intellectual property or classified information.
However, the number of records lost in breaches at other departments, such as the Privacy Commissioner, Veterans Affairs, Canada Revenue and Citizenship and Immigration are listed.
Two police departments are on the Breach Index list. The number of records lost by the Edmonton Police Service in what is described as an accidental loss is unknown; nor are the number of records lost by Ottawa police in what is described as an attack by a hactivist.
The database also reveals that two financial institutions were hit last year: The Bank of Nova Scotia, which saw 643 records compromised by an insider, and the Bank of Montreal, suffered a breach with an unknown number of records lost. It is described as an accidental loss involving account access.
According to the Breach Index, Bell Canada was hit twice on different dates by what is described as malicious outsiders who got account access for over 44,000 records. But in an email a Bell spokesperson said it was actually one breach, and not of its systems but of a third-party supplier’s information technology system. In June the RCMP said it had charged a young offender in connection with hacking 22,421 user names and passwords and five valid credit card numbers of Bell Canada’s small business customers.
(UPDATE: The original version of this story said a consulting firm was the third largest victim according to the Breach Index. That firm now says the index is wrong and its Canadian division didn’t experience such a breach. Gemalto has since removed its name from the index. )
Not all of the breaches identify the victim organization; instead they list a category. Those unnamed include an Internet provider (number of records unknown), a service provider (300 records), a Winnipeg retailer (1,300 records), a restaurant and gas station.
These were among the 1,500 data breaches publicly reported around the world in 2014, says the index, with a total of 1 billion records exposed.