More Than 28 Million Canadians Affected
According to the Office of the Privacy Commissioner of Canada (OPC), the personal information of about 28 million Canadians has been affected by corporate hacks or mismanagement in the last 12 months. The evaluation was issued last week after analyzing the first full-year data provided by private sector firms that had to report security breaches. Until new regulations to the Personal Information Protection and Privacy Act (PIPEDA) came into force on November 1, 2018, companies had to report violations to the OPC only voluntary.
Currently, the estimation of the OPC is about 2 million short. Desjardins said data on all 4.2 million of its credit union customers were affected in the June data breach it suffered on Friday, the day after the assessment was released. At first, it said that only 2.7 million people were affected. The reported incidents break down as follows: 397 (58%) of the 680 incidents were due to "unauthorized access" (data breaches and employee snooping), 147 were due to "accidental disclosure" (including information sent by BCC to the wrong email address, or multiple people instead of just one person), 54 were due to theft, 82 incidents were due to "loss" (probably including losses of laptops, USB devices, and hard drives).The OPC collected 680 violation reports in those first 12 months – which concluded on October 31; six times the amount it obtained from voluntary reporting.
The new legislation allows businesses that fall under PIPEDA to disclose security breaches to the OPC and victims that contain personal information and pose a real risk of significant harm to persons (shortened to RRoSH by privacy pros). They also need to keep a record of any security checks breach whether it hits the RRoSH threshold.
Small Businesses Need More Security
"Many small businesses think they're safe if they have a firewall and antivirus software, but that's not the case," said Michael Ball, Performance Advantage CISO. Furthermore, a Statistics Canada survey shows that 10% of firms say they have no security at all. There is not enough security in place for most small businesses to protect against potentially devastating cyber-attacks. Twenty-one percent of Canadian companies say that cyber-security issues have impacted them. Most of the companies were hacked, Ball said. "We just don't know it yet." Small businesses are gradually being marketed for larger businesses as a path through the supply chain.
Small and medium-sized enterprises must practice good cyber routines, as Michael Ball says, "all of the time." They must be proactive in security measures, including password management, multi-factor authentication, patching, monitoring, detection and backup of intrusion - There must be continuous monitoring. "You have to understand what's going on day in and day out inside the network," Ball said. Monitoring allows companies to identify, contain, analyze, remedy and report the threats.
For small and medium-sized businesses, a managed detection and response (MDR) service is a good option. It is a subscription-based service offered by experts working with companies to identify key vulnerabilities and put in place best-of-breed monitoring tools. "Once you know the networks are secure and any security issues will be handled and resolved, you can rest easy. Commercial products can be implemented, with the necessary defenses of 24/7 support, but the price for small businesses is often too steep.
Below are other notable, global cyber-security breaches for November:
|Name of the Organization||Type of Exploitation||Type of Company||Location|
|7-Eleven||Accidental Data Exposure||Convenience Store and Gas Station Chain||Australia|
|Boardrider||Ransomware||Action Sports Retailer||United States|
|Brooklyn Hospital Center||Ransomware||Full-Service Community Teaching Hospital||United States|
|City of San Marcos||Cyber-Attack||Local Government Municipality||United States|
|Datrix||Phishing Attack||Network Services and Cloud Solutions Provider||United Kingdom|
|DeBella's Subs||Malware Attack||Rochester-Based Restaurant Chain||United States|
|Disney+||Compromised User Accounts||Media Streaming Service||New Zealand|
|Everis||Ransomware||Managed Service Provider||Spain|
|Exchange for Change||Accidental Data Sharing||Coordinator of Litter Reduction Program||Australia|
|Florida Blue||Phishing Attack||Health Insurance Provider||United States|
|Great Plains Health||Ransomware||Local Hospital||United States|
|InterMed||Compromised Email Account||Maine-Based Physician Group||United States|
|James Fisher and Sons PLC||Unauthorized Database Access||Marine Services Provider||United Kingdom|
|Lending Crowd||Unauthorized Database Access||Online Peer-to-Peer Lending Company||United Kingdom|
|Liver Wellness||Phishing Attack||Medical Testing Company||Ireland|
|Ma||Ransomware||Facility Services Retailer||United States|
|Magellan Rx Management||Phishing Attack||Full Service Pharmacy||United States|
|Monash IVF||Compromised Email Server||IVF Clinic and Fertility Program||Australia|
|Ontario Science Center||Credential Stuffing Attack||Antivirus Software Provider||Canada|
|PayMyTab||Accidental Data Exposure||Hospitality Payment Platform||United States|
|Perth||Compromised Email Account||Capital of Western Australia||Australia|
|Pipestone Kin-Ability Centre||Unauthorized Network Access||Non-Profit Serving Adults with Mental and Physcial Disabilities||Canada|
|Prosegur||Ransomware||Cash Logistics and Private Security Company||Spain|
|Rouen University Hospital||Ransomware||Full-Service Medical Facility||France|
|Select Health Network||Unauthorized Email Account Access||Indiana-Based Collection of Healthcare Providers||United States|
|Sixth June||Malware Attack||Online Fashion Store||France|
|SmartASP.NET||Ransomware||Web Hosting Platform||United States|
|Solara Medical Supplies||Compromised Email Account||Supplier of Diabetes-Related Treatment Products||United States|
|Sport Australia||Compromised Email Account||Government Agency Aiming in Support and Investment for Athletics||Australia|
|sPower||Cyber-Attack||Renewable Energy Provider||United States|
|Starling Physicians||Phishing Attack||Conneticut-Based Healthcare Group||United States|
|TD Canada Trust||Unauthorized Account Access||Financial Services Provider||Canada|
|UniCredit||Exposed Database||Banking and Financial Services Company||Italy|
|University of Hertfordshire||Accidental Data Exposure||UK-Based Academic Institution||United Kingdom|
|Utah Valley Eye Clinic||Unauthorized Database Access||Utah-Based Eye Clinic||United States|
|Vistaprint||Exposed Database||Small Business Marketing Product Provider||Netherlands|
|Waterloo Brewing Company||Phishing Attack||Ontario-Based Brewing Company||Canada|
|Waterloo Catholic District||Ransomware||Local Academic Institution||Canada|
|Web.com||Unauthorized Database Access||Domain Name Registration and Web Services Provider||United States|
Come back next week to learn more about interesting topics with our next blog!
As one of Calgary’s top-rated IT service providers, GAM Tech specializes in delivering “big business” managed IT services to small and medium-sized organizations in Alberta and beyond. From disaster recovery and cloud solutions to VCIO services and strategic around-the-clock network security, GAM Tech has reliable, affordable solutions to keep you up and running.