Protection of personal information | Thirty companies reported leaks in two months

About 30 companies declared “confidentiality incidents” to the Commission d’accès à l’information after the amendments to the laws to protect the privacy of Quebecers, on September 22. Among them, several companies did not hesitate to explain to us the glitches, small or large, which led them to come forward. But from the Royal Bank to Amex Canada, other companies – and not the least – are much more discreet.

The Commission d’accès à l’information (CAI) sent to The Press the list of private organizations having made such declarations before 28 November. However, it only sent a list of companies, without any details on the nature of the reported incident.

We contacted some of the companies to find out what had happened. Observation: the events reported are very different from each other, ranging from the loss of a paper document on a patient to a computer attack affecting an entire company.

Large companies that do not respond

Some of the larger organizations are in no rush to explain what happened.

Questioned on December 2, the Royal Bank had still not explained to The Pressat the time of publishing, why she made a statement to the CAI.

Other large organizations also on the list, including McGill University and Amex Bank of Canada, did not explain their procedures either.

ManpowerGroup Global Inc. is also one of the companies that did not respond to the questions of The Press. The firm does human resource management for smaller organizations. Two days after our request, a US spokeswoman sent an email saying she was working on it.

The Professional Liability Insurance Fund of the Barreau du Québec, which also made a statement to the CAI, said that information about its staff in the hands of a supplier had leaked.

“The incident is very limited and only concerns my employees,” said Marie-Chantal Thouin, director of the organization, which insures lawyers against the risk of prosecution in the context of their practice. She refuses to give more details. The Fund states that it offered a credit monitoring service to its staff.

Sun Life Assurance Company made the same kind of statement, as did Walmart Canada. The retailer reported “a situation involving a third-party vendor, Modern Hire.” This American company supports the hiring process for third parties, but has not itself made any communication to the CAI. The retailer declined to say more, saying only that the leak involved “non-sensitive information.”

Sobeys, which owns the IGA supermarket chain in Quebec, also made a statement to the CAI, but gave no sign of life to The Press. The company’s systems were crippled last month by a computer outage and hackers claimed a cyberattack on the grocer.

Ransomware in an SME

Some smaller organizations have been more transparent.

This is the case of Cristal Controls Ltd., a small company of about thirty employees in Quebec. This manufacturer of energy and lighting control devices suffered an attack on October 25 and a ransomware gang released 125 gigabytes of its data on the hidden web (dark web).

“They asked us for a ransom of a quarter of a million,” says Jacques Beauchesne, president of the company, which declares a turnover of approximately 5 million dollars. Fortunately, the company had good backups of its data, he says. She didn’t pay.

The disruption of its business management system caused it headaches, but it was above all the leak of information on its personnel that prompted Cristal Controls to contact the CAI. “I knew I had to declare it,” says Jacques Beauchesne.

Other companies reported less dramatic events, which had nothing to do with electronics. This is the case of a pharmacy in Rimouski, which indicated to the CAI that it had received a wet and disintegrated box of medication from the Purolator parcel deliverer.

In Gatineau, the Delta Health Clinic declared the theft of a notebook containing about thirty names of patients, also mentioning their contact details and “possibly the justification for the consultation”, says Liette Landry, manager of the establishment. She notified the police and the people concerned.

Among the largest organizations, Telus Communications made five reports to the CAI for attempted fraud involving the takeover of telephone numbers. “The targets had probably already been victims of phishing and we made them aware,” said Jacinthe Beaulieu, spokesperson.

No other telecommunications company reported between September 22 and November 28.

Sensitive alarm

Pierre Trudel, professor of information law at the University of Montreal, is not surprised that small incidents are among the events declared to the CAI.

“The new law makes it possible to set up an alarm system. A smoke detector can ring as much because of the toaster as of a serious fire, ”he illustrates.

If the mechanics may seem cumbersome for isolated incidents without serious consequences, according to him, this is the price to pay for adequate data protection. “The mechanics aim to force companies to take this seriously. »

With William Leclerc, The Press