Top 5 Security Breaches in Canada

 

Compared to 2019 statistics, the frequency of security breaches today has increased by 20%, meaning that every 11 seconds one ransomware attack happens in any part of the world and Canada is no exception.

 Although the country ranks 13th in the list of countries in terms of the efficiency of their cybersecurity strategy, the amount of security breaches in Canada still rises from year to year. A whopping 85% of Canadian companies have been affected by cybercriminals in 2021 which is a 7% increase in comparison with 2020.

As the average cost of a data breach for Canadian companies is 5.4 million, both businesses and government take measures to strengthen cybersecurity on an organizational and national level:

A Canadian company spends on average 11.1% of its IT budget on security.

The government keeps issuing new legislation such as PIPEDA (Personal Information Protection and Electronic Documents Act) and amendments to the current regulations in order to regulate how companies handle customer- and business-related data.

Below, we've reviewed the most infamous cybersecurity breaches in Canada you should have heard, analyzing their causes and outcomes for various companies and enterprises.

#1 IKEA's Internal Data Breach Impacted Up to 100,000 Canadians

In May 2022, IKEA confirmed the internal security breach reported between March 1-3 current year, when some of its customers' personal information appeared in a generic search made by an IKEA employee. IKEA Canada PR leader Kristin Newbiggin said that the incident hasn't affected the banking or financial information of their clients.

After the breach was detected, the company was reassured that security experts acted quickly to prevent the data leak. So, according to the official announcements, no client data was used, stored, or shared as a result, and no actions are required from the customers' side.

Nevertheless, many cybersecurity experts claim that along with outside attacks, companies shouldn't overlook insider threats. Only in 2020, the cost of insider threats cost $11.45 million and will keep on increasing in the upcoming years. That is why employees should be limited to accessing solely the enterprise data they need to work with, which is usually neglected by many companies today. Such a precaution can help to secure the internal data yet prevent abusing the privileged access.

#2 Financial Services Firm Exposed Personal Data of Over 10 Million Customers

The infamous privacy breach occurred in June 2019 and spanned nearly two years without being noticed. The security department became aware of it only after the organization had been notified by the federal Privacy Commissioner, according to the report.

According to the commissioner's report, the rogue employee siphoned sensitive personal information collected by Desjardins from customers who had purchased or received products through the organization for at least 26 months. The exposed clients' data included first and last names, dates of birth, social insurance numbers, street addresses, phone numbers, emails, and transaction histories.

Desjardins' settlement will provide compensation for identity theft and loss of time related to the personal information breach, paying up to nearly $201 million to settle a class-action lawsuit. As mentioned, the overall number of individuals affected by that privacy breach has reached close to 9.7 million Canadians.

To minimize the risks of collection, storage, transmission, or process of any sensitive data, it is recommended to regularly conduct cybersecurity audits and system testing. This investment might seem unreasonable at first, but can help you to timely identify the problems, as well as determine and eliminate the breach-related vulnerabilities.

#3 Telecom Company Bell Canada Reported About the Largest Customer Data Breach

Multiple attacks were also announced by Bell Canada, one of the largest telecommunications companies in the country. According to the announcement in May 2017, the data affected included close to 1.9 million customer email addresses, as well as 1,700 names and phone numbers. The responsibility for the attack wasn't named, but in the information released it was mentioned the hackers were leaking the information due to Bell's failure to cooperate with them.

Worth mentioning the fact that Bell wasn't announcing the breach immediately upon discovery just to get more details before the official notification to customers. Fortunately, no sensitive personal information, such as financial data or passwords, has been affected. Bell's representatives have been contacting the affected customers directly to notify them about the incident and advise them to regularly change their passwords and security questions, as well as watch out for suspicious emails. Overall, information theft has affected nearly 1.9 million customers.

Nevertheless, that's not the sole cause of a security breach in Bell Canada. Eight months later the company reported a similar case of a data breach that affected up to 100,000 customers. The exposed information included customers' key personal information, all of which could be sold in underground markets and used for malicious activities.

#4 Home Depot Canada Suffered a Customer Data Leak Following Systems Error

In November 2020, Home Depot Inc. in Canada started receiving the first reports of the data breach that, according to the official press release, "seems to be the result of an internal system error rather than an external attack". Its customers started receiving reminder emails by mistake for hundreds of orders that were ready to pick up, in some cases users reported receiving up to 1,000 emails per one address or even more. The email content included customer names, email addresses, order numbers, and the last four digits of customer payment cards.

After the confirmation, Home Depot Canada claimed the system error affected a "very small number of customers", but the cause of the data breach was not disclosed. However, regardless of the small scope of affected clients, there is still a huge threat to customer security, as a personal data leak can be gold for a malicious actor. So, personal information like that can be used for a convincing phishing email, clicking on which the affected customers risk becoming victims.

#5 PayPal-owned Canadian Firm TIO Networks Leaked 1.6 Million Clients' Records

Global digital payments giant, in December 2017, reported a potential compromise of personally identifiable information for approximately 1.6 million customers on TIO Networks – a Canadian payments platform owned by PayPal.

After the security system vulnerability was detected, TIO Networks immediately suspended all operations of TIO Networks to protect the clients' data and initiated an internal investigation, in which the experts uncovered multiple cases of unauthorized access to TIO's network, including areas that stored personal information of some of the company's customers and customers of TIO billers. Regarding that, the company contacted all customers, billers, and retailers affected as a result of the leak and claimed to keep them updated about the instructions to secure their personal data. Fortunately, TIO Networks' and PayPal's systems are completely separate, so the last one's client data remains secure.