Canada’s privacy commissioner received 681 reports of corporate data breaches in its last fiscal year, up six per cent over the previous 12-month period.
And again, the financial sector (including banks, trust companies credit unions and mortgage brokers) accounted for the highest number — 27 per cent — followed by telecommunications providers (17 per cent), professional services firms (such as IT consulting and accounting firms, 14 per cent), firms in sales and retail (9 per cent) and insurance providers (7 per cent).
The numbers are included in the annual report of the Office of the Privacy Commissioner of Canada (OPC), which was filed in Parliament on Tuesday.
The report, by privacy commissioner Philippe Dufresne, covers the period Apr. 1, 2022 to Mar. 31 of this year. Federally-regulated companies and firms in provinces and territories that don’t have their own private-sector privacy law have to report data breaches to the OPC where there has been a breach of security controls that creates a real risk of significant harm to an individual.
Unauthorized access accounted for 66 per cent of all breach reports received (451). More than half of these, 278, were said to be cyberattacks initiated through malware, compromised credentials, or phishing schemes that allowed bad actors access to systems.
The financial and professional services sectors were the most frequently targeted, says the report. Breaches often involved sensitive personal information such as social insurance numbers, the report adds.
“With so many businesses active online,” the report adds, “our office suspects that many breaches go unreported – even undetected – particularly by small- and medium-sized enterprises, which represent nearly 90 per cent of the businesses in Canada.”
“The OPC advises organizations to make security a priority in order to guard against exposure to bad actors,” the report says. “Important security measures include enhancing protections for employee credentials, applying security patches as they become available, requiring two-factor or multi-factor authentication, and investing in cybersecurity to prevent unauthorized access.”
Another category of breaches was unauthorized disclosure, which can include misdirected correspondence, mishandling of data, or a data entry error. These accounted for 25 per cent of all reports received.
The annual report also notes Dufresne has asked Parliament to make 15 changes to the proposed new private-sector law (C-27, the Consumer Privacy Protection Act), including recognition of privacy as a fundamental right, and that it better protect children’s privacy and the best interests of the child. The act may face detailed analysis this fall by the House of Commons’ Industry Committee. No date for hearings has yet been set.
C-27 is actually a bundle of three proposed acts: The CPPA; the Personal Information and Data Protection Tribunal Act, which creates a tribunal to hear recommendations from the privacy commissioner to fine organizations for violating the CPPA; and the Artificial Intelligence and Data Act for regulating the use of AI.
The annual report also notes an OPC investigation into the security failures of Agronomy Company of Canada Ltd. unveiled in a 2020 ransomware attack by the REvil gang. The investigation report, released in July 31, points out the company didn’t mandate employees use multifactor authentication for logins, allowing the threat actor to access the IT system with stolen credentials; a lack of network segregation allowed the hacker to move around freely; data was copied because it wasn’t encrypted; and due to a lack of detection and response tools, the attacker was able to access the network, exfiltrate data and cover their tracks, without being detected for approximately two months.
Agronomy owns the Agromart Group, a group of franchised companies that supply crop production inputs such as crop nutrients, crop protection products, and seed.
Agronomy had linked multiple Agromat systems together, the report says, although this was unnecessary. That allowed the hacker to take advantage of lateral movement to compromise and take over multiple IT systems. “It is a best practice to link only necessary workstations and systems together in a network to minimize the harm that can be caused by lateral movement,” says the OPC report. “Had the networks of various Agromat retailers been segregated, the impact of the breach may have been significantly diminished, as the threat actor would likely only have been able to assume control of one of the Agromat retailers’ systems.”
The personal information of 845 individuals who were customers of various Agromat members was stolen. When Agronomy refused to pay a ransom, the data was offered for auction on the dark web, then published in June 2020.
Agronomy has made a number of significant improvements to its overall security posture since the breach, the investigation report notes, including contracting for third-party services that its entirely new internal IT team may not have capacity to maintain in-house.