One year after Canadian businesses became subject to mandatory data breach reporting, the country’s federal privacy watchdog says reports of breaches have dramatically increased, with their figures suggesting more than 28 million Canadians have been affected by a data breach in the past year.
“Since reporting became mandatory, we’ve seen the number of data breach reports skyrocket,” the Office of the Privacy Commissioner of Canada (OPC) said in a blog post on Thursday.
“Some of those reports have involved well-known corporate names, but we have also seen significant volumes coming from small- and medium-sized businesses.”
The OPC is an arm’s-length parliamentary body that enforces Canada’s Privacy Act and the country’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Last November, the rules changed so that reporting data breaches was no longer voluntary for organizations subject to PIPEDA.
As of Nov. 1, 2018, Canadian businesses are required to inform customers as well as the OPC if there are ever “any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals.”
The penalty for not reporting includes fines up to $100,000 for each time a person is impacted by a breach, if the Canadian government pursues prosecution of a case.
A year later, the OPC says it has received 680 data breach reports between Nov. 1, 2018 and Oct. 31, 2019 — “six times the volume we had received during the same period one year earlier.”
“It’s a staggering increase and higher than we had anticipated,” the OPC said.
“Those 680 reports indicated that the total number of people affected by those breaches was over 28 million,” said OPC spokesperson Valerie Lawton in an email to Global News.
As of July 2019, the population of Canada was around 37.5 million, according to Statistics Canada.
The OPC noted that the figures cited in their blog post include the ones reported by Desjardins and Capital One — which past reports indicate impacted six million Canadians and 100 million in the United States.
On Friday, a day after the publication of the OPC blog post, Desjardins said that the scope of its breach was larger than previously known, affecting 4.2 million clients.
The OPC said that almost six in 10 reported breaches (58 per cent) — or 397 reports — were related to unauthorized access.
The agency identified “employee snooping” and “social engineering hacks” as key factors behind such breaches, with around 25 per cent of these types of reports involving phishing and impersonation.
Accidental disclosure of documents or information was involved in 147 reported breaches, or almost 22 per cent of all reports in the past year.
The OPC wrote that this includes incidents where documents with personal data were mailed or emailed to the wrong person, or “left behind accidentally.”
One in 10 of the breaches (12 per cent, or 82) involved potential information disclosure by losing a “computer, storage drive or actual paper files.”
And eight per cent of the reports (54) were related to stolen documents or computers that then led to a data breach.
The OPC also saw a “significant rise” in breaches that affect a small number of people — often only one person and “sometimes through a targeted, personalized attack.”
— With files by The Canadian Press and Global News’ Kalina Laframboise