ANALYSIS: Personal Info of Over 150,000 Canadians in Feds’ Possession Breached, With One Agency Accounting for 70% of Incidents

ANALYSIS: Personal Info of Over 150,000 Canadians in Feds’ Possession Breached, With One Agency Accounting for 70% of Incidents
The Canada Revenue Agency (CRA) headquarters Connaught Building is pictured in Ottawa on Aug. 17, 2020. (Sean Kilpatrick/The Canadian Press)
Isaac Teo

Private information belonging to over 150,000 Canadians in the possession of federal departments and agencies was breached over a one-year-plus period, with the Canada Revenue Agency (CRA) being the worst offender, new records analyzed by The Epoch Times show.

The analysis is based on figures provided by the federal government in response to an Inquiry of Ministry. Conservative MP Luc Berthold, who submitted the inquiry on March 29, wanted to know the details of all privacy breaches that occurred since Jan. 1, 2022, including the number of people affected and whether the Privacy Commissioner of Canada was notified.

Based on the document tabled in the House of Commons on May 15, the analysis indicates that 21,158 breaches were reported by 117 federal departments and agencies in the 14-month period. The CRA, which collects taxes from Canadians, accounted for nearly 70 percent of the breaches, with 14,484 cases affecting 53,667 people.

The analysis found that not everyone whose personal data was breached was informed by public servants as their cases were either deemed “low risk” or “non-material” by the respective government bodies.

The CRA said in its response that it noted “a significant increase” in the agency’s unauthorized use of taxpayer information in recent years. It reported 110 breaches due to employee misconduct, including unauthorized access or disclosure of taxpayer information during the requested period. Another 1,089 cases occurred because of misdirected mail sent to the wrong recipient.

Nearly 90 percent (12,917) of the breaches stemmed from “compromised individual accounts,” said the agency, while 298 other cases resulted from “cyber incidents, theft and loss of information, etc.”

Seventy breaches were recorded as being due to “compromised business accounts.”

45,000 Homeowners

In one of the data breaches, the Canada Mortgage and Housing Corporation (CMHC) mistakenly emailed the “personal information and outstanding loan balances” of 45,000 homeowners to an unnamed lender on Jan. 18, 2022.

“E-mail with MS Excel attachment sent to an external lender employee showing personal information and outstanding loan balances,” said the CMCH in the Inquiry of Ministry document. “File had been filtered for this lender and included records for other lenders that could be unfiltered.”

None of the affected borrowers were informed by CMHC staff, records show. Furthermore, the privacy commissioner was not notified. The Crown corporation said it only learned about the breach when the unnamed lender reported the error and attested to the “destruction” of the file.

“Please note that none of the reported incidents were material breaches,” CMHC said. “Also note that all incidents reported are deemed to be non-material.”

‘Loss of Information’

Employment and Social Development Canada (ESDC), whose portfolio includes the supervision of Service Canada, reported 872 privacy breaches, of which 72 were cases of lost passports and two cases of stolen passports.

“Loss of information” breaches related to Employment Insurance (16), passports (8), Social Insurance Numbers (2), Old Age Security (2), and the Canada Pension Plan (2) were among other breaches in ESDC’s records.

The department said the number of breaches reported pales in comparison to the volume of transactions it processes annually.

“As noted in these reports, compared to the millions of transactions processed by ESDC each year, the number of privacy breaches is statistically very small.”

‘Not Tracked’

Shared Services Canada (SSC), the agency responsible for providing information technology services across federal departments, had the private information of 31,647 public servants incidentally disclosed to an unnamed vendor in May 2022.

“Personal information provided to Vendor that was not included in data migration plan,” the agency said.

No measure was deemed required to offer the affected employees. They were not told of the breach and neither was the privacy commissioner.

“The information is not tracked,” SSC said in response to Berthold’s question on what government program or service was impacted by the breach.

Transport Canada, and Public Services and Procurement Canada (PSPC) reported breaches of a similar nature in their departments.

On July 21, 2022, the transport department had a “disclosure of personal information” of 4,510 individuals in its records. The department did not specify whether those individuals were employees or the general public, stressing that its service was not impacted “by the incident.” It said the affected individuals were not contacted.

“The breach did not pose risks, e.g. risk of identity theft or financial harm, which required measures be provided to any affected individual,” the department said.

‘Unauthorized Disclosure’

Public Services and Procurement Canada (PSPC), the central purchasing agent for the federal government, had a breach involving the “unauthorized disclosure” of 5,392 people’s personal information on June 22, 2022. The department said it “did not have any material privacy breaches to report.”

Immigration, Refugees and Citizenship Canada (IRCC) reported 4,355 breaches affecting at least 18,000 people in the period requested by Berthold. In its most serious breach on Sept. 23, 2022, the agency noted an “improper collection” incident involving the information of 13,600 individuals, which it said is still under “active investigation.”

About 97 percent of the breaches (4,230) were categorized as “Improper Disclosure: Misdirected personal information” by the IRCC. Other privacy breaches documented included the “improper retention,” “improper access,” and “improper use” of information.

The RCMP was responsible for 110 breaches. On March 3, 2022, one staff member accidentally lost a USB drive containing the private data of 1,741 individuals.

“An unencrypted USB containing operational and personal information was lost by an RCMP member and then found by an unknown individual who made and disseminated copies of it,” the RCMP said.

“Safety measures were implemented for certain individuals.”

Emails with sensitive information such as criminal records, fingerprints, and health status sent to the wrong people were not uncommon.

The RCMP said whenever the force contacts a person impacted by a privacy breach, the notification will include an apology as well as an explanation of the breach. It also informs them of remediations taken and their rights to file a complaint with the privacy commissioner.