OTTAWA - The federal government has quietly logged 101 breaches of Canadians’ private information over the last four months, the Star has learned.
Numbers released by Privacy Commissioner Daniel Therrien’s office reveal his office was informed of a privacy breach an average of almost once a day since April 1.
The majority of these breaches occurred in two departments: Veterans’ Affairs Canada (38) and Citizenship and Immigration Canada (31). Canada Revenue Agency experienced another 14 breaches.
Eleven other departments — including Foreign Affairs and Trade, Employment and Social Development, and Transport Canada — reported between one and four breaches to Therrien’s office.
While the affected departments are known, the circumstances around the privacy breaches have not been released. What kind of data were at risk is also unknown at this time, although Therrien’s office said most are not considered “material.”
Federal guidelines define “material” privacy breaches as incidents that involve “sensitive personal information” that “could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals.”
One such material breach is believed to have occurred at the National Research Council earlier this month. The Conservative government has accused Chinese-sponsored hackers of infiltrating the NRC’s network — a claim Beijing flatly denied earlier this week.
Tobi Cohen, a spokeswoman for Therrien’s office, said the commissioner was first informed of that breach on July 23 — almost a week before the government confirmed the incident.
“We were briefed further on July 28, at which point it was confirmed that the system that was infiltrated contained personal information,” Cohen wrote in an email.
“At this point, what we can say is that this appears to be a serious security issue, however, we understand the full extent of the impact still has to be determined.”
Cohen said the office is following the situation closely “due to the potential implication for personal information.”
The NRC network has since been isolated from other Government of Canada network. The agency has also been working with CSEC — Canada’s electronic espionage agency, which discovered the cyber attack — and other unnamed “security partners.”
The agency has refused to answer any questions on the breach since it was revealed on Monday, citing security and confidentiality. On Thursday, the agency’s communications branch released an update stating the breach “remains the top priority.”
The NRC has said they’re working on a new “secure IT infrastructure” that could be in place in approximately one year, but expects interruptions to regular business in the short term.
“The NRC expects to be able to resume business activities in an orderly manner over the next few weeks and months,” the statement read.
In documents presented to the chief information officer on Monday, federal bureaucrats warned that Ottawa needs a more coherent plan to address large-scale cyber attacks like the Heartbleed security bug.
The software vulnerability that forced the shutdown of Canada Revenue Agency’s electronic tax filing system in April. Stephen Arthuro Solis-Reyes, a 19-year old computer science student from London, Ont., was arrested on April 15 for allegedly using Heartbleed to obtain the tax information of 900 Canadians.
On May 5, the Conservative government made it mandatory for departments and agencies to report material privacy breaches to both the privacy commissioner and Treasury Board, the department responsible for the federal government’s privacy guidelines.
In a briefing note to Treasury Board President Tony Clement obtained by the Star, Treasury Board Secretary Yaprak Baltacioglu wrote that institutions were previously required to notify only individual Canadians affected by privacy breaches.
“The new mandatory reporting of material privacy breaches does not change this process but ensures that both the (privacy commissioner and Treasury Board) are informed in cases where the breach could reasonably be expected to cause serious injury or harm to the individual,” Baltacioglu wrote.
“Data from this reporting will be used to assess trends in the privacy breach landscape and materials will be developed, as required, to help mitigate future risks within the Government of Canada.”