More than 28 million Canadians鈥 privacy has been affected by 680 reported breaches in the past year 鈥 six times the previous year鈥檚 volume, says sa国际传媒鈥檚 privacy chief.
The data was revealed from mandatory breach reporting under the Personal Information Protection and Electronic Documents Act, the Office of the Privacy Commissioner of sa国际传媒 said in a blog post.
The law applies to Canadian聽private-sector organizations that collect, use or disclose personal information in the course of a commercial activity. Under mandatory breach notification starting in November 2018, organizations must report breaches to the commissioner and those affected if they pose a real risk of significant harm to individuals.
鈥淪ince reporting became mandatory, we鈥檝e seen the number of data breach reports skyrocket,鈥 the blog said. 鈥淪ome of those reports have involved well-known corporate names, but we have also seen significant volumes coming from small- and medium-sized businesses.鈥
The blog noted some breaches made headlines. Those include finance company Desjardins, where a breach affected 4.2 million people, and the Capital One聽Financial data聽breach,聽where six million聽Canadians鈥 personal information was聽compromised.
The commissioner said 58 per cent of breaches involved unauthorized access.
鈥淲e have seen a significant rise in reports of breaches affecting a small number of individuals 鈥 often just one and sometimes through a targeted, personalized attack,鈥 the blog said. 鈥淭his is the correct approach to reporting: there can be risk of significant harm even when only one person is affected by an incident.
鈥淓mployee snooping and social engineering hacks are key factors behind breaches resulting from unauthorized access. In fact, roughly one in four of the incidents reported to us involved social engineering attacks such as phishing and impersonation.鈥
And, the blog said, fraudsters and other bad actors are using increasingly sophisticated tactics to convince organizations鈥 employees that they are someone else. Such tactics employ psychological techniques, attempt multiple avenues to obtain personal information and use publicly available information and information disclosed in other privacy breaches.
Moreover, the blog said, more than 20% of reported data breaches involved accidental disclosure. This would include situations where documents containing personal information are provided to the wrong individual (for example, because an incorrect email or postal address was used, or an email was sent without blind copying recipients) or are left behind accidentally,鈥 the blog said.
Disclosure due to the loss of a computer, storage drive or actual paper files accounted for 12 per cent of the breach reports.
Breaches due to theft of documents, computers or computer components accounted for eight per cent of the reports.
Employee snooping and social engineering hacks are the key factors behind breaches resulting from unauthorized access.
