It was recently reported that information on 144,000 Canadians was breached by 10 federal departments on almost 8,000 occasions in the past 2 years alone.
The Canada Revenue Agency (CRA) saw the most individuals affected, with 3,020 breaches involving 59,065 individuals. The CRA blames the breaches on misdirected mail, security incidents, and employee misconduct. “Two-thirds of the total individuals affected were as a result of three unfortunate but isolated incidents,” the publication quotes a CRA spokesperson as saying. Next was Health Canada, which was responsible for 122 breaches, affecting 23,894 individuals. According to CBC, the agency said in its “most serious” breach, a government employee mistakenly received an email containing personal information. That person immediately notified the appropriate officials at Health Canada and deleted the email, the report said. The Public Health Agency of Canada (PHAC) was responsible for seven breaches that affected 3,725 individuals; similarly, Environment was responsible for seven breaches, seeing 6,028 affected.
While massive breaches involving hundreds of millions of records grab headlines, it’s incredibly important to have transparency in these types of incidents as well. There are literally tens of thousands of smaller breaches in the report, and it’s difficult for anyone to work to prevent similar incidents in the future without knowing that they’re occurring now.
Thwarting malicious hackers and nation-state attackers is important, but there may also be ‘low-hanging fruit’ in preventing breaches from misconfigurations and human error
The report is a good example of how most data breaches are caused by human error and not by hackers overcoming cybersecurity measures. Even the most well-equipped organizations can do little to stop employees from accidentally emailing the wrong person.
Most reports on data breaches only cover incidents that reach a threshold of people affected, which only allows us to see big breaches of, say, 500 records or more. The CBC\’s report is interesting because it shows just how often smaller data incidents occur. 8,000 incidents in two years is more than 10 breaches per day!
These breaches should not be seen as failures, but incidents to learn from. The fact that so many are reported is either a failure on behalf of the agencies on proper data management, but far more likely this is the result of a matured incident reporting. Looking to just our own experience, even where legislation is in place demanding breach notifications, even government agencies struggle to do what is required of them. Last year our security analysts in their research found several breaches, where none of the reported breaches led to issued breach information to affected citizens, in one case the government agency responsible instead silently retired a system leaking the details of 250.000 citizens. So go Canada and lets all learn from this.
With more and more regulations coming into play and evolving, government agencies are not only facing cross-regulatory compliance challenges. Home-grown applications, legacy infrastructure and silos make it hard to implement robust security.
Unfortunately, there is no silver bullet for cyber security. We all know that. Looking at recent breaches and an ever increasing attack surface, classic perimeter defence is becoming more and more useless. While many employees are either apathetic or blissfully unaware about what can happen when they misuse internal systems, in fact they can put the whole organisation at stake.
It is hard for government agencies to find a balance between a) enabling employees to work as informed and freely as possible but b) doing so in an absolutely secure way – especially with legacy systems.
Keeping that in mind, the two most important things an organisation can do are to spread cybersecurity awareness and to use a zero trust approach to make sure that users only get access to sensitive data, when they have the permission. Protecting the data with data centric security that travels with your data and implementing strong identity and access management enables you to setup a zero trust environment.