Expert Comments

Report Shows Personal Info On 144K Canadians Breached By Federal Entities: Expert Comments

Expert(s): Security Experts
Expert(s): Security Experts

It was recently reported that information on 144,000 Canadians was breached by 10 federal departments on almost 8,000 occasions in the past 2 years alone.

The Canada Revenue Agency (CRA) saw the most individuals affected, with 3,020 breaches involving 59,065 individuals. The CRA blames the breaches on misdirected mail, security incidents, and employee misconduct. “Two-thirds of the total individuals affected were as a result of three unfortunate but isolated incidents,” the publication quotes a CRA spokesperson as saying. Next was Health Canada, which was responsible for 122 breaches, affecting 23,894 individuals. According to CBC, the agency said in its “most serious” breach, a government employee mistakenly received an email containing personal information. That person immediately notified the appropriate officials at Health Canada and deleted the email, the report said. The Public Health Agency of Canada (PHAC) was responsible for seven breaches that affected 3,725 individuals; similarly, Environment was responsible for seven breaches, seeing 6,028 affected.

Experts Comments

Dot Your Expert Comments
Tim Erlin
February 18, 2020
VP of Product Management and Strategy
Tripwire

There are literally tens of thousands of smaller breaches in the report, and it’s difficult for anyone to work to prevent similar incidents.
While massive breaches involving hundreds of millions of records grab headlines, it’s incredibly important to have transparency in these types of incidents as well. There are literally tens of thousands of smaller breaches in the report, and it’s difficult for anyone to work to prevent similar incidents in the future without knowing that they’re occurring now. Thwarting malicious hackers and nation-state attackers is important, but there may also be ‘low-hanging fruit’ in preventing .....Read More
While massive breaches involving hundreds of millions of records grab headlines, it’s incredibly important to have transparency in these types of incidents as well. There are literally tens of thousands of smaller breaches in the report, and it’s difficult for anyone to work to prevent similar incidents in the future without knowing that they’re occurring now. Thwarting malicious hackers and nation-state attackers is important, but there may also be ‘low-hanging fruit’ in preventing breaches from misconfigurations and human error  Read Less
Paul Bischoff
February 18, 2020
Privacy Advocate
Comparitech

Even the most well-equipped organizations can do little to stop employees from accidentally emailing the wrong person.
The report is a good example of how most data breaches are caused by human error and not by hackers overcoming cybersecurity measures. Even the most well-equipped organizations can do little to stop employees from accidentally emailing the wrong person. Most reports on data breaches only cover incidents that reach a threshold of people affected, which only allows us to see big breaches of, say, 500 records or more. The CBC's report is interesting because it shows just how often smaller data.....Read More
The report is a good example of how most data breaches are caused by human error and not by hackers overcoming cybersecurity measures. Even the most well-equipped organizations can do little to stop employees from accidentally emailing the wrong person. Most reports on data breaches only cover incidents that reach a threshold of people affected, which only allows us to see big breaches of, say, 500 records or more. The CBC's report is interesting because it shows just how often smaller data incidents occur. 8,000 incidents in two years is more than 10 breaches per day!  Read Less
Martin Jartelius
February 17, 2020
CSO
Outpost24

These breaches should not be seen as failures, but incidents to learn from.
These breaches should not be seen as failures, but incidents to learn from. The fact that so many are reported is either a failure on behalf of the agencies on proper data management, but far more likely this is the result of a matured incident reporting. Looking to just our own experience, even where legislation is in place demanding breach notifications, even government agencies struggle to do what is required of them. Last year our security analysts in their research found several breaches,.....Read More
These breaches should not be seen as failures, but incidents to learn from. The fact that so many are reported is either a failure on behalf of the agencies on proper data management, but far more likely this is the result of a matured incident reporting. Looking to just our own experience, even where legislation is in place demanding breach notifications, even government agencies struggle to do what is required of them. Last year our security analysts in their research found several breaches, where none of the reported breaches led to issued breach information to affected citizens, in one case the government agency responsible instead silently retired a system leaking the details of 250.000 citizens. So go Canada and lets all learn from this.  Read Less
Felix Rosbach
February 17, 2020
Product Manager
comforte AG

Unfortunately, there is no silver bullet for cyber security.
With more and more regulations coming into play and evolving, government agencies are not only facing cross-regulatory compliance challenges. Home-grown applications, legacy infrastructure and silos make it hard to implement robust security. Unfortunately, there is no silver bullet for cyber security. We all know that. Looking at recent breaches and an ever increasing attack surface, classic perimeter defence is becoming more and more useless. While many employees are either apathetic or.....Read More
With more and more regulations coming into play and evolving, government agencies are not only facing cross-regulatory compliance challenges. Home-grown applications, legacy infrastructure and silos make it hard to implement robust security. Unfortunately, there is no silver bullet for cyber security. We all know that. Looking at recent breaches and an ever increasing attack surface, classic perimeter defence is becoming more and more useless. While many employees are either apathetic or blissfully unaware about what can happen when they misuse internal systems, in fact they can put the whole organisation at stake. It is hard for government agencies to find a balance between a) enabling employees to work as informed and freely as possible but b) doing so in an absolutely secure way – especially with legacy systems. Keeping that in mind, the two most important things an organisation can do are to spread cybersecurity awareness and to use a zero trust approach to make sure that users only get access to sensitive data, when they have the permission. Protecting the data with data centric security that travels with your data and implementing strong identity and access management enables you to setup a zero trust environment.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

$2bn Startup Glovo Falls Victim To Cyberattack

Vulnerabilities Found In Wifi-routers

Experts Reaction On REvil/Sodin Behind UnitingCare Breach

Experts On IOS 0-Days Vulnerabilities Discovered

Uni Research Finds That Fertility Apps Collecting And Sharing Sensitive...

44% of Orgs. Report Breaches Due to 3rd Parties, 74%...

92% Of Organisations Who Pay Ransoms Don’t Get All Their...

Experts Comments on World Password Day

Expert Insights On Ransomware Task Force Report

Expert Commentary – Ofcom Warn People Not to Trust Caller...