It’s not just the students and employees who were left in the dark after the massive leak of personal information at Collège Montmorency. The Information Access Commission (CAI) “was not informed” either. The personal data watchdog learned of the extent of the damage on Thursday in The Pressand he says he is “very concerned”.
Posted at 10:01 a.m.
“The Commission deplores this leak of personal information that affects the community of students, staff members and teachers at Collège Montmorency,” said Commission spokesperson Dominique D’Anjou.
For now, there is no requirement for public bodies to notify the Commission when they are the victims of an information leak that presents a “risk of serious harm”. However, they will have to do so with the new version of the law as of September 22.
Despite the absence of obligations, the Commission received 91 such declarations in 2020-2021. The CAI also invites public bodies “to demonstrate transparency” by notifying it of such incidents quickly.
The Press reported on Thursday that tens of thousands of College files had landed in the hidden web (dark web), on the site of the hackers who attacked the establishment on May 11. The documents contain extensive medical and psychiatric information about staff, internal investigation records, and identifying information about employees and students, among others.
In an interview, the director general of the College, Olivier Simard, explains that the establishment found on August 26 that a “big leak” had taken place. The College then awarded a contract to a security company to study the exfiltrated documents and contact the people concerned.
“There are different issues regarding access to data,” he explains. You have to open the files that you have to take one by one… It’s a colossal task, I assure you, there is still a lot of data! »
Silence on the side of the Minister of Cybersecurity
While the Commission is very concerned about the situation at the College, the Minister of Cybersecurity and Digital, Éric Caire, refrained from commenting, despite our requests for an interview.
PHOTO GRAHAM HUGHES, THE CANADIAN PRESS ARCHIVES
The Minister of Cybersecurity and Digital Éric Caire did not react to the massive leak of personal data at Collège Montmorency.
Its officials are however directly implicated in the events. They even “monitored the presence of data on the invisible web”, mentions a spokesperson for the Ministry, Laurent Bérubé.
Did they themselves spot the massive leak that management kept secret until the investigation of The Press ? Did they advise the College to withhold this information? Impossible to say.
Crisis management
After the publication of the report by The Press Thursday, Collège Montmorency sent students an email acknowledging for the first time that “the current situation is very worrying”.
In an interview, Olivier Simard assures that the management intends to “take care and take care” of the students and employees who are victims of the leak.
PHOTO FROM FACEBOOK
Olivier Simard, General Manager of Collège Montmorency
The director lists several measures taken to correct deficiencies raised in 2019 in a letter from the Auditor General during a confidential audit of the College, exfiltrated among the stolen data.
“At the time of the attack, we were maneuvering to deliver the recommendations,” says Olivier Simard.
According to the director, the cégep notably implemented multi-factor authentication and reviewed its information backup infrastructure, in addition to tightening the standards for passwords.