A Calgary woman is accusing the city of compromising her safety after it sent some of her personal information to a complete stranger.
Kris Webber told Global News it all started when she challenged her property assessment at the start of the year. Webber felt the value assessed by the city far exceeded what her home was actually worth, so she sent in an appeal. The city’s tax department then sent her an email asking her to send more information, including photos of the inside and outside of her home.
Webber said she got all of the necessary information ready and hit “reply all” — not knowing one of the people on the email chain was not with the city, but just another resident.
“I got this very terse email from this gentleman saying, ‘I don’t know who you are. I don’t know why I’m included on this email,'” she said.
“My heart just stopped, and my stomach sunk.”
The unintended recipient went on to tell her to delete his email address and that “under the (Personal Information Protection Act ) I am sure the rules have been broken and someone should be fired.”
Webber said she understood none of her financial information had been compromised, but what had been leaked she said was even worse.
“Just the fact that he knows where I live now and he’s got the pictures of the inside of my house, the outside of my house,” she pointed out. “If he wanted to come over and do some malicious intent or something, he’s literally got an outline of what my house looks like.
“It is a big deal. I’m a single lady and the fact this other gentleman — this random Calgarian — has my information my address, it’s worrisome.”
Webber contacted the city several times to find out how it had happened. She said she was told it was “not normally heard of” and that they were “confident that he’s going to delete the email”.
Not content with those answers, Webber eventually called the city’s freedom of information and privacy office to investigate. She said she finally got an answer months later stating the privacy officer “can confirm that a privacy breach did occur” and that recommendations were sent to the city to ensure it didn’t happen again.
City of Calgary’s response
In a statement to Global News, the city’s Assessment Tax team said, “The City of Calgary Assessment & Tax acknowledges that a single privacy breach occurred on January 10, 2024, which compromised the personal information of one of our customers.
“We take privacy concerns seriously at The City. Upon learning of the breach, we took immediate action to rectify the error and worked to ensure that the unintended recipient of the personal information deleted it from their possession.”
The statement went on to say, “The City’s Access to Information and Corporate Privacy office launched a full review that determined the privacy breach was a one-off incident caused by human error and followed up with the customer. The City’s Assessment & Tax team has learned from this error and is implementing the recommendations.
“We sincerely apologize for this error and any harm it might have caused this individual.”
But Webber was not satisfied with the statement.
“It’s just astonishing that there’s not protocols already in place to prevent something like this from happening in the first place,” Webber said.
Cyber-security do’s and don’ts
University of Calgary cyber-security expert Ryan Henry told Global News these types of incidents are unfortunately “not at all unusual”.
“It’s usually a human issue,” he said. “There’s lots of humans involved and a lot of opportunities for people to make mistakes. Not everyone is always super trained in how to handle confidential information especially if that’s not a normal part of their job.”
Henry added there are ways for institutions and companies to better protect information including using encrypted email services.
He said while these services may be more inconvenient, they will often take the error out of “reply all” situations. He also suggested not using email in the first place when it comes to sensitive information and instead employ a website requiring individuals to log in and enter their own information.
As for the city’s response to this error which included asking the unintended recipient to delete all messages, Henry said that’s not always ideal.
“Most people are generally good people and won’t use this kind of information but that’s definitely not something you want to rely on for security and privacy.”
Webber said she is still waiting for “her” apology.
“An apology might be nice from the actual department that released my personal information to this gentleman,” she said.
Comments