The number of data breaches reported in Quebec has jumped 75% over the past year. The Commission d’accès à l’information (CAI) has recorded nearly half a thousand “confidentiality incidents,” a quarter of which were caused by cyberattacks, in 2023-2024.
Privacy incidents have exploded by 469% since a provision of the Privacy ActSince that date, organizations have been required to report to the CAI any security breach likely to cause “serious harm”, under penalty of sanctions.
From April 2023 to March 2024, 444 incident reports were disclosed to the CAI, compared to 78 in 2021-2022 and 254 in 2022-2023.
The Commission, which juggles an educational, monitoring and investigative role, also published on its website the names of about a hundred entities that reported leaks for the months of April, May and June. These include Meta, the parent company of Facebook and Instagram, the Restaurant Brands International (RBI) group, owner of the Tim Hortons and Burger King franchises, and the Royal Bank of Canada (RBC).
Few details
The Press surveyed around thirty private companies and public bodies that had recorded a confidentiality incident since April 2023 to find out its cause and scope. Generally, public bodies were quicker to respond to our questions, as were companies affected by minor events.
Multinationals have also declined to comment or ignored our emails. Radio silence, for example, came from General Electric, RBI, and the car brands BMW and Volkswagen Canada.
It was also not possible to know the context and the extent of the leaks declared by Meta, the construction giant Lafarge and the Canadian division of the manufacturer Jaguar Land Rover Canada: “no comment”.
Four out of five incidents in 2023-2024 were recorded by private companies (358). Public bodies and professional orders forwarded 18% (82) and 1% (4) of the notices to the Commission respectively.
The surge in data breaches comes as the number of fraud cases reported to police has more than doubled in the past 10 years, according to a report from the Ministry of Public Security released Friday.
Police forces recorded just over 38,000 cases in Quebec in 2023, compared to 15,000 10 years ago.
A not very talkative platoon
Sun Life Financial has posted the highest number of declarations, seven, since the new regime came into effect in the fall of 2022.
“As per our standard practice, we have reached out to those affected by these incidents and offered support as needed, and have reported the incidents to the appropriate regulator,” a spokesperson said in an email, without specifying the nature and extent of the leaks.
Canada Life Investments and Insurance, Choice Hotels (Quality Inn, Comfort Suites, Econo Lodge) and Royal Bank of Canada followed with six statements each. The first two did not respond to our questions, while RBC said it was “unable to provide details on this specific topic” due to confidentiality reasons.
The CISSS de l’Outaouais appears four times on the lists published since the fall of 2022. The organization “notified the CAI even when the incidents did not present serious harm,” explains a spokesperson, who did not provide details on the leaks. From now on, “only incidents that require a notice are transmitted to the Commission.”
Between transparency and vulnerability
The organizations that are at the top of the list are not necessarily those that are most vulnerable to privacy breaches; they are probably the most transparent, notes lawyer Antoine Guilmain, co-head of the national Cybersecurity and Data Protection practice group at Gowling WLG.
“In the register [de la CAI] which is published, we find the date, the name and the sector, but you will never know the extent of the incident, or even if it was declared on a voluntary basis or not,” explains Mr.e Guilmain.
This could be misleading, since a company that appears five times may just be a better citizen.
Lawyer Antoine Guilmain, co-director of the national Cybersecurity and Data Protection practice group at Gowling WLG
With 84 notices, or 20% of confidentiality incidents for the period 2023-2024, the finance sector is the most represented.
The Co-operators insurance and financial services group, for example, recorded two separate incidents “experienced by third parties” in May. “Each of these third parties has taken steps to address their respective incidents, notified the affected individuals as required by law and offered each notified individual free credit monitoring services,” a spokeswoman said.
A third party is also involved in a “data theft” reported by Mitsubishi Motor Sales of Canada to the Commission, the The Press the distributor.
Minor hiccups
Since the Access to Information Commission does not specify the nature of the incidents, it could be a large-scale cyberattack or a trivial accident.
The CAI itself declared a confidentiality incident on May 2. “The case concerns an email sent, by human error, to the wrong recipient,” explains Jorge Passalacqua. The message contained a document that should not have been published. “The risk of serious harm to the citizen in question is almost non-existent,” he specifies.
Laval University, the Ministry of Agriculture, Fisheries and Food and Beneva have also detailed The Press administrative errors affecting a single person, without impact. Files closed. At the Outaouais neuropsychological clinic: two incidents, i.e. two emails sent to the wrong recipient. “We are in the process of deploying software that will help us minimize the risk of such errors happening again,” management said. The Maison Tangente homeless resource in Montreal also mentioned an erroneous sending.
At Cineplex, which appears alongside Scene+ on the recent CAI list, the incident “concerns a supplier’s system,” not the company’s, a spokesperson said. “A small number of employees were affected in Canada and only five in Quebec.”
It is also five people or less who were victims of a leak at the Ministry of Immigration, Francisation and Integration. “In order to protect the identity of the people concerned, the Ministry cannot comment” on the case, emphasizes a representative.
The City of Saguenay explained to us that it had reported an incident concerning “unauthorized access to the Quebec Police Information Center by an officer of the Saguenay Police Service.”
At the City of Châteauguay, communications inform us that the police service accidentally disclosed personal information to a non-profit organization as part of a background check. “Additional preventive measures have been put in place to avoid a repeat of such an incident,” they say.
Numerous attacks
More than half of the incidents reported to the CAI are criminal in nature: cyberattacks, in the lead, caused 25% of the incidents recorded in 2023-2024, followed by ransomware (16%). The categories “theft of information”, “human error” and “accidental communication” each account for around 10% of the reports.
Clearly, companies affected by more severe cases have not opened up to The Press. All victims of data leaks in Quebec should nevertheless have been informed of certain details by the targeted organization, as required by law.
“We want individuals to be informed so they can protect themselves,” notes lawyer Antoine Guilmain. “For example, if you are aware that your banking data has potentially been compromised, you may want to subscribe to a credit check.”