Privacy of Albertans under growing threat of hackers
It looked like a simple request from the CEO of a Canadian-based software company — an email asking for a spreadsheet containing information on the business’ employees.
Not long after the email was sent in early 2016, it became clear that the request wasn’t from the company’s top executive, but a hacker mining for information for nefarious purposes. In this case, the shadowy culprit made off with the personal information — social insurance numbers, salaries and birth dates, among other data — of 463 employees, 20 of them in Alberta.
It’s just one example among the growing number of breach notification decisions released by Alberta’s Office of the Information and Privacy Commissioner (OIPC), which have shown an increasing trend of online hacks, phishing and socalled social engineering ploys that compromise the personal data of hundreds of thousands of Albertans every year.
On Monday, hackers released a massive trove of personal information purportedly belonging to patrons of Calgary’s Cowboys Casino, along with a threat to release more in the coming weeks.
While the data dump, which included personal information, gambling habits and payouts of hundreds of patrons, garnered significant attention, Alberta’s privacy boss says online data breaches are becoming a major focus of her office.
“In any given year, hundreds of thousands of Albertans are being impacted by things like this,” said Jill Clayton, Alberta’s privacy commissioner.
“We’ve seen a huge increase in the hacking of e-commerce websites, malware, social engineering. We read about these things but we’re seeing much more of it.”
Under Alberta legislation enacted in 2010, private sector organizations are required to report any privacy breach that could pose “a real risk of significant harm.” It’s the first jurisdiction in Canada to require such notifications.
And it’s meant an increasing workload for Alberta’s privacy office. As of the end of May, OIPC has made public 65 such notifications, of which more than half (36) are attributed to some sort of illicit attempt to electronically secure information, most often from an unknown third party.
An analysis of the 2017 data, which includes incidents that occurred as far back as 2015, shows the personal information of more than 220,000 Albertans has been compromised. Comparatively, in all of 2016, more than 314,000 Albertans had personal data exposed.
Clayton said there’s been solid buy-in from the private sector on self-reporting breaches, with about 30 per cent reporting them even if there doesn’t appear to be any real risk of harm based on stolen data.
The rise of online hackers has led to an exponential rise in the sheer amount of personal information that can be obtained, often for illicit purposes. “If you can hack into an e-commerce site with 100,000, 200,000 or even a million customer accounts, that’s a lot of information,” Clayton said.