Skip to content
Join our Newsletter

Privacy of 28 million Canadians breached in past year

More than 28 million Canadians’ privacy has been affected by 680 reported breaches in the past year — six times the previous year’s volume, says Canada’s privacy chief.
CPT11911190.jpg
More than 28 million Canadians’ privacy has been affected by 680 reported breaches in the past year, according to Canada’s privacy chief. THE CANADIAN PRESS/AP/Elise Amendola

More than 28 million Canadians’ privacy has been affected by 680 reported breaches in the past year — six times the previous year’s volume, says Canada’s privacy chief.

The data was revealed from mandatory breach reporting under the Personal Information Protection and Electronic Documents Act, the Office of the Privacy Commissioner of Canada said in a blog post.

The law applies to Canadian private-sector organizations that collect, use or disclose personal information in the course of a commercial activity. Under mandatory breach notification starting in November 2018, organizations must report breaches to the commissioner and those affected if they pose a real risk of significant harm to individuals.

“Since reporting became mandatory, we’ve seen the number of data breach reports skyrocket,” the blog said. “Some of those reports have involved well-known corporate names, but we have also seen significant volumes coming from small- and medium-sized businesses.”

The blog noted some breaches made headlines. Those include finance company Desjardins, where a breach affected 4.2 million people, and the Capital One Financial data breach, where six million Canadians’ personal information was compromised.

The commissioner said 58 per cent of breaches involved unauthorized access.

“We have seen a significant rise in reports of breaches affecting a small number of individuals — often just one and sometimes through a targeted, personalized attack,” the blog said. “This is the correct approach to reporting: there can be risk of significant harm even when only one person is affected by an incident.

“Employee snooping and social engineering hacks are key factors behind breaches resulting from unauthorized access. In fact, roughly one in four of the incidents reported to us involved social engineering attacks such as phishing and impersonation.”

And, the blog said, fraudsters and other bad actors are using increasingly sophisticated tactics to convince organizations’ employees that they are someone else. Such tactics employ psychological techniques, attempt multiple avenues to obtain personal information and use publicly available information and information disclosed in other privacy breaches.

Moreover, the blog said, more than 20% of reported data breaches involved accidental disclosure. This would include situations where documents containing personal information are provided to the wrong individual (for example, because an incorrect email or postal address was used, or an email was sent without blind copying recipients) or are left behind accidentally,” the blog said.

Disclosure due to the loss of a computer, storage drive or actual paper files accounted for 12 per cent of the breach reports.

Breaches due to theft of documents, computers or computer components accounted for eight per cent of the reports.

Employee snooping and social engineering hacks are the key factors behind breaches resulting from unauthorized access.