Many organizations have no shortage of rules to protect the personal data they collect. But, says an official of the Office of the Privacy Commissioner of Canada (OPC), rules are nothing if they aren’t enforced.
“With respect to breaches and cybersecurity risks out there, you can’t just set it and forget it,” deputy privacy commissioner Brent Homan said in an interview for Data Privacy Day, which is observed around the world on Jan. 28. “You’ve got to keep your eyes on the ball.”
Homan said after looking at all the beaches the OPC has investigated over the past few years — including WADA (World Anti-Doping Organization), Equifax, Ashley Madison, Desjardins — there are some common themes that are huge takeaways for organizations.
“Often we will see the right policies or policies that look correct. We see that organizations have tools and processes and monitoring approaches that should do the job. But the question is are they fully implemented and basically followed? I think that often what looks good on paper if not followed through will lead to a lot of breaches.
Equifax breach lesson
“With Equifax, the infiltrators were cruising around its system for more than 70 days undetected using a well-known vulnerability [in the Apache Struts web framework], and they had a limited vulnerability tool that failed to detect that vulnerability remained after patches were applied manually,” said Homan.
He added that it’s crucial that companies maintain the right policies and the right procedures. But they also have to actually use them in the face of potential threats.
Desjardins breach lessons
The 2019 theft by an employee of the Desjardins credit union of data on 9.7 million accounts was due to the organization emphasizing mainly on external threats, Homan said. One problem was staff trusted each other, allowing the bad staffer to break the rules. “In addition to trust you have to verify … That was one of the big lessons, and one that companies should consider: Don’t just look outwards for threats, but consider internal threats as well.”
The Desjardins breach also showed the need of having a robust data retention policy that includes destroying data after it is no longer needed. Among the data stolen from the financial institution was personal information on thousands of inactive accounts.
“We see this coming up over and over again,” Homan said. Getting rid of unneeded data is “a very simple way” to reduce damage from data theft. “You can’t lose what you no longer have.”
WADA breach lessons
This 2016 breach from the Montreal headquarters of the anti-doping agency saw athletes’ personal information disclosed following a spear-phishing attack by messages that appeared to come from WADA chief technology officer. WADA attributed the attack to the Russian-based threat group known as Fancy Bear.
This incident showed the threat from state-sponsored groups to certain organizations, Homan said. “It showed that you should not only have security safeguards that are commensurate to the sensitivity of the information [held] but you should also have safeguards that recognize the extent to which you present a high-value target.”
Ashley Madison breach lessons
This 2015 breach from the Toronto-based dating site saw the theft of personal information from 36 million user accounts.
A big factor, Homan said, was inadequate identity and access management, including not having two-factor authentication to protect administrative accounts. That allowed a person somehow to get a staff member’s username and password. Another issue was poor encryption key management. “Encryption isn’t as helpful if passwords and the keys are under the door-mat. You want to make sure you take care of all the hygiene in your security infrastructure.”
He also noted that WADA used encryption to protect data in transit, but not for data at rest.
Cadillac Fairview image collection
Last year the privacy commissioner’s office found the mall owner collected images of 5 million shoppers without their consent using a video analytics tool. In addition, while the company thought images got deleted after being analyzed, the investigation found numeric representations of the images uploaded to a decommissioned website of a third party. Lesson: Know where all your data is, including data shared with partners — and their partners.
Data protection “starts with accountability,” Homan concluded. “The absence of a robust security framework and governance structure has been common in quite a few breaches. That’s where everything starts. With accountability, it’s also important that the [data privacy and security] message is not aimed at just the security level. It comes down from the head of the organization. If staff know this is a priority for the C-level officers then they will give it the attention it deserves.
“Second, awareness training for all is critical, even with the best physical and technological safeguards.”
