• Home »
• Self-Help Resources »
• Your Privacy At Risk »
• Data Breaches

Data Breaches

A failure to protect

Personal Data Revealed | LifeLabs | Other Data Breaches
Were You Affected? | Where's the Accountability?

All trademarks, company names or logos are the property of their respective owners.

---

A new report from Mastercard shows that the average data breach costs Canadian businesses $5.64 million while only 39 per cent of businesses are implementing adequate cybersecurity tools.

 

According to the report, cybercrime has increased by 600 per cent since COVID-19 pandemic with remote work resulting in a 238 per cent rise in cyberattacks.
— CTV News March 2023

---

Breaches Expose Personal Data

Each time there is a data breach containing your information, it has the potential to reveal a pattern in your password use. In the very least it provides the personal information that was used to create and maintain your account.

Most large companies now make at least some of their income by collecting and analyzing personal data from people on social media, websites and more. Companies seldom provide decent protection for collected information because they paid virtually nothing for it and the consequences of a data breach seldom affect their bottom line.

Social Media Provides a Rich Information Pool

Companies like Facebook and Google are based entirely on collecting and reselling data to advertisers. When the product is free, YOU are the product. One of the best security and privacy actions you can make is to get off Facebook.

Neither Facebook nor Clearview AI suffered significant fines for their part in the scraping of millions of photos on Facebook accounts without permission in order to sell the data to police forces in North America, yet ordinary citizens can face huge fines when caught posting images not owned by them.

While organizations are happy to collect your private data, they aren't committed to protecting it anywhere as carefully as they do their own private information. These breaches go back years.

Errors were at the heart of almost one in five (17%) breaches. That included employees failing to shred confidential information, sending an email to the wrong person or misconfiguring web servers. While none of these were deliberately ill-intentioned, they could all still prove costly.
— 2018 Verizon Data Breach Investigations Report

There have been at least 200 documented data breaches since 2005, and the number of records exposed is only on the rise as more folks move their lives online. It's impossible to know the impact and extent to which data breaches are occurring as many almost certainly go unreported.
— Interest.com, 2019

But the reported breaches only scratch the surface. When Troy Hunt, the owner of HaveIBeenPwned, stated “Every day. Multiple times. Every day, without question.”

While speaking to me on the phone from his home in Brisbane, Australia, Hunt said he had just finished processing 545 breached accounts that morning from overnight reports, and he had at least that much more left to post on his website that day. He's one of the few people in the world who has an idea of the volume and frequency of data breaches.
— PCMag

A Failure to Protect Data

Data breaches occur because of a failure to protect your data, often data they had no use for, but which might be valuable in the future. Much of this data is protected only with the least effective (and least expensive) technology and some companies leave the information unprotected and available to anyone that can locate the address to the server it is stored on.

Corporations have essentially zero incentive to provide security for any private data they hold. Given the amount of data collected by these companies, this is criminal. Until companies are forced to take responsibility or face significant business-damaging fines, they will continue to find it cheaper to hire lawyers than invest in better security.

Legislated is badly needed to protect personal data that includes significant mandated payouts to those affected and severely penalizes the executives and companies for criminal negligence where data breaches occur.

Collecting Unnecessary Data Needs to Stop

The collection of unnecessary data that is breached needs to see significant penalties, including jail time for those that made the decision to collect it then fail to protect it.

Home Depot and others offer an emailed receipt at purchase. Sounds like a great convenience, doesn't it? However, that convenience provides little return value to customers compared to the future marketing value of your email address to the retailer. Instead, stick with a printed receipt with your transaction because it avoids providing unnecessary personal information.

The Equifax data breach allowed executives to protect their own financial interests while providing the least effective security for data affecting virtually every adult in North America. They also failed to offer adequate compensation.

If this were taken into account and the companies heavily fined for collecting unnecessary data or the executives subject to criminal charges the potential value of this optional data wouldn't be worth the risk.

Too often we try to tell folks how to protect themselves, but how to you protect yourself from credit card and other information stolen from retailers other than by strictly using cash and refusing any personal details such as requests to “email your receipt.”

Boycott Negligent Businesses

Consumers need to assess privacy in their purchase decisions to hit businesses where it hurts.

Would you simply shrug your shoulders if your bank “lost” your life savings because of lax security? Why should mass data breaches be any different?

First, as consumers we need to stop shrugging and accepting data leaks as business as usual. Security should influence our buying decisions: the organisations we deal with won't take security seriously unless customers and the public do, too.
— ZDNET.

Data Breaches Take Months or Longer to be Discovered

Those responsible for the data are often unaware that a data breach has occurred until they are told by someone else, often months or longer later.

The time it takes cybercriminals to compromise a system is often just a matter of minutes — or even seconds. They don't need much time to extract valuable data — they usually have much more than they need as it typically takes organizations weeks or months to discover a breach. 68% of breaches took months or longer to discover.

 

In many cases, it's not even the organization itself that spots the breach — it's often a third party, like law enforcement or a partner. Worst of all, many breaches are spotted by customers
— 2018 Verizon Data Breach Investigations Report

Timely Reporting Lacking

The number, frequency and size of security breaches are not improving. Companies are protecting their servers, not their users' information. Often companies don't even realize they've been hacked until long after the data has made its way into the dark web and your accounts have been compromised.

68% of breaches take months or longer to detect.
— Menlo Security

We need to demand that companies do much better in protecting user's data.

Over 75% of Canadians Affected

Canadian businesses and organizations are legally required to report privacy breaches. Hoping it goes away could cost you both customer loyalty and significant fines.

In the first year that reports are mandatory under PIPEDA ending October 31, 2019, the OPC received 680 breach reports affecting more than 28 million Canadians, six times as many as the year before:

These large numbers indicate that most individuals in Canada have already been affected. We need to stop unsafe practices and start treating ignorance as a public menace.

Failure to Report Privacy Breaches

Clearly breaches experienced by private businesses have been greatly undereported.

• Report a privacy breach at your business.
• What you need to know about mandatory reporting of breaches of security safeguards.

More Common Than You Think

Data breaches are more common than you'd think, given the infrequency of news reports. How often? “Every day. Multiple times. Every day, without question.” Often they are either never publicly announced or the public announcement is delayed for months or years. Many of these are never reported to anyone.

A new study looking into data breaches in 2019 found that on average, a US citizen had their personal information leaked to the public at least four times. This is only based on publicly reported data and leaves out hundreds of other breaches that may have occurred behind closed doors.
— TechRepublic

Among organizations that experienced a data breach, over half informed senior leadership (53 per cent), and just under half informed the board (46 per cent) or their customers (45 per cent). About four in 10 informed a regulatory body (42 per cent) or law enforcement (38 per cent).
— CIRA 2024

Only the very largest breaches are reported in media and then often months or years after they happen.

Data breaches now happen so often that they rarely make the regular news cycle, but that doesn't make them any less dangerous.

 

A data breach gives cybercriminals the chance to uncover your private information and use it for nefarious purposes, such as identity theft.
— PCMag

It is very difficult for consumers and businesses to protect themselves in a timely manner by changing passwords and other compromised data when there is no public announcement. However, there are things you can do to prevent data breaches.

Breaches Go Back Years

Breached companies seldom report the loss until much later (often years later) and are not financially responsible because of their vague terms of service and poor privacy policies.

In 2013, digital thieves stole sensitive data from all three billion Yahoo users. The stolen information included names, phone numbers, email addresses, hashed passwords, security questions, and answers to security questions. Yahoo was slow to respond and did not notify users until December 2016.

 

The second-largest data breach in history also involved Yahoo users. It occurred a year later when Russian operatives used a phishing email to access Yahoo's user database and account management tool. Approximately 500,000 user accounts were exposed.
— Class Action U

You only need to look at the way Facebook, Hotmail and others so quickly changed their privacy policies to enhance their profitability. You're on your own when it comes to protecting your identity.

Online Crime Treated Like White Collar Crime

Much like white-collar criminals, online criminals face far lighter repercussions (if they are caught at all) than someone robbing a store or kidnapping for ransom. In addition, most of these crimes are committed abroad where it is much more difficult to prosecute the perpetrators.

As cybercrime begins to overtake physical offenses for the first time, we need to realize that as our world continues to be dominated by technology so is organized crime. There is a common misconception that these out of sight online attacks are victimless crimes or are not treated with the same level of importance as those that occur offline, and this needs to change.
— Daniel Burrus 2016

White Collar Crime Punished Lightly

One of the reasons that the loss of personal information occurs is that companies don't see any reason to spend money to protect information they didn't pay for in the first place. Remember, no one forced these companies to collect unnecessary information nor to retain it.

Until such crimes see the company executives punished appropriately and as severely as bank robberies and other blue-collar financial crimes, these breaches will continue.

How Many Affected Commonly Understated

Often initial breach reports understate the actual number of affected accounts. Later reports progressively report larger numbers.

As the public faces of huge corporations, executives have a lot to lose if their reputation — or that of their company — becomes tarnished. Their public relations team and their company's board may feel that paying off the criminal gangs could be less expensive than damaging the company's brand or causing a drop in stock value after announcing their business has become a victim to a serious cyberattack.

 

So while some companies and individuals will try to cover up that they have been scammed, the truth can and often does come out.
— ZoneAlarm

One example is the Yahoo breach which initially reported 500 million accounts were breached in 2013. We later learned that all 3 billion Yahoo accounts were affected including Yahoo Mail, Tumblr, Flickr and Fantasy Football.

The Motive: Financial Gain and Espionage

The primary purpose of hacking these sites is financial gain, although other factors such as espionage are likely factors.

Cyber criminals have placed 617 million hacked accounts for sale on the dark web, stemming from 16 separate data breaches.

 

The databases are listed on the dark web marketplace Dream Market, alongside drugs, weapons and other illicit items.

 

Hacked websites listed include MyFitnessPal, MyHeritage and Animoto — all of which were known to have been compromised.
— Independent February 2019

• 2024: Cyber attacks are not a question of if, but when..
• Last year 28 million Canadians were impacted by data breaches.
• 15 million LifeLabs customers had their LifeLabs data hacked.
• The 18 biggest data breaches of the 21st century.
• The average American had personal information stolen at least 4 times in 2019.
• PDL data leak affected 1.2 billion.

Return to top

LifeLabs: A Canadian Example

LifeLabs recently identified a cyber-attack that involved unauthorized access to our computer systems with customer information that could include name, address, email, logins, passwords, date of birth, health card numbers, gender, phone numbers, password security questions and lab test results.
— LifeLabs December 17, 2019

Significant Failures

This is unprecedented: a significant number of people in Canada had their sensitive, personal information from a medical testing company hacked and stolen. And it took more than five weeks for the public to be informed. Just a few years previously, LifeLabs lost the information of 16,000 people in British Columbia with no repercussions to speak of. The information apparently wasn't encrypted to protect it from unauthorized viewing.

The privacy commissioners of both Ontario and BC noted significant failures including collecting unnecessary information then failing to sufficiently protect it.

A statement from the privacy commissioners of both Ontario and British Columbia says their joint report, completed in June 2020, found that LifeLabs "failed to take reasonable steps" to protect clients' data while collecting more personal health information than was "reasonably necessary."

 

B.C. Information and Privacy Commissioner Michael Harvey says in a statement that "the road to accountability and transparency has been too long" for the victims of the data breach.

 

"LifeLabs' failure to put in place adequate safeguards to protect against this attack violated patients' trust, and the risk it exposed them to was unacceptable," Harvey says. "When this happens, it is important to learn from past mistakes so others can prevent future breaches from happening.
— Chuck Chiang, The Canadian Press November 2024

Settlement Inadequate

While the total Canada-wide settlement in the LifeLabs Privacy Breach Class Action was "up to $9.8 million," it translated into a payment of $7.86 per claimant (less $2 if you requested a cheque). That is hardly reassuring to client whose personal data was compromised, especially given that such data would fetch far more on the Dark Web.

Clearly the cost of negligence is not high enough to protect our private medical data. These paltry amounts barely justified the paperwork involved and are more a cost of doing business than something that would force the company to change.

LifeLabs continues to do business in Canada but has security improved? Be sure to read the resource links at the bottom of the OpenMedia petition to understand the scope of the problem and why action must be taken to stop this loss of personal data.

15 million people in Canada have just had their private information breached from LifeLabs, a medical testing company. The breach potentially includes names, passwords, health card numbers and lab test results.

 

Excuses and apologies aren't enough: we need our government to take action and create better protections for our private data.

 

Sign our petition calling on Parliament's Standing Committee on Access to Information, Privacy and Ethics (ETHI) to investigate LifeLabs, and put forward recommendations to ensure this doesn't happen again.
— OpenMedia

Return to top

Other Data Breaches

There have been many, many data breaches reported (and even more unreported). These are just some of the better-known examples. The history of data breaches includes some of the largest and most damaging on record as well as how to prevent data breaches.

Each year the number and severity of data breaches, compromised accounts is becoming increasingly frequent and more severe.

Marriott International and its subsidiary Starwood Hotels will pay $52 million and create a comprehensive information security program as part of settlements for data breaches that impacted over 344 million customers.

 

The settlement requires Marriott and Starwood to implement a comprehensive security program and allow their U.S. customers to request personal data deletions.

 

Additionally, the American hospitality giant has agreed to pay $52,000,000 to 49 states to resolve claims related to the data breaches.
— BleepingComputer October 10, 2024

Fidelity Investments, a Boston-based multinational financial services company, disclosed that the personal information of over 77,000 customers was exposed after its systems were breached in August.

 

Fidelity added that the incident exposed the data of 77,099 customers but has yet to reveal what personal information was stolen in the data breach besides names and other personal identifiers (as shared with Maine's Attorney General).

 

When asked how the attacker could access the data of thousands of customers using two accounts they previously created, Michael Aalto, Fidelity's head of external corporate comms, told BleepingComputer they couldn't share that information and added that "they did not view accounts. They viewed customer information".
— BleepingComputer October 10, 2024

The LastPass Breach

A good example of poor and too-late reporting is the LastPass breach. It took over six months from the time of the first incident to begin reporting risks to customers.

Customer data wasn't reported missing until December 22, 2022 even though it appears to have been taken months earlier beginning in August. Initially customers were told their data vaults were probably safe, based upon the highest recommendations. However, the company had failed to warned customers with weak security to upgrade.

TL;DR: The breach was helped by a lax security policy, an employee was accessing critical company data from their home computer.

 

So the breach affects LastPass users who had an active LastPass account between August 20 and September 16, 2022.
— Almost Secure

Remember, LastPass was password management software protecting customers' most critical data — credit cards and the passwords to ALL their online accounts including critical banking and government websites.

Equifax Data Breach

Probably the most glaring of the many reported (and unreported) data breaches is the 2017 Equifax data breach. The data stolen provided more than enough information to commit widespread identity theft on the majority of American and Canadian citizens, the largest theft of sensitive personal information by state-sponsored hackers ever recorded.

In September 2017, hackers backed by the Chinese military exploited a vulnerability in Equifax's dispute resolution website and installed malware to access its network and back-end databases. The breach compromised the names, addresses, birth dates, Social Security numbers, and other sensitive data of 145 million Americans.
— Class Action U

Inadequate Security

Richard F. Smith, former Equifax CEO, blamed it on an employee's error in not patching a known security vulnerability. Even though this data was particularly sensitive, Equifax provided little data security.

A company like Equifax that has sensitive, personal information on most Americans should have the best data security in the industry. Instead, it has the worst.
— Senator Elizabeth Warren

Executives Cashed Out

There was also a delay in reporting the Equifax breach while the company executives cashed out. The lack of quick action by the company's executives should have resulted in firings and severe financial penalties for the company.

If you checked the Equifax site to check if your personal identity was compromised, you agreed to give up the right to sue. Seriously?

Equifax settled the FTC lawsuit by agreeing to provide either 10 years of credit monitoring or $125 settlement but never provided enough funds for this settlement:

Equifax earmarked only $31 million for claims, meaning that if all 147 million people affected by the breach filed a claim, everyone would get just 21 cents.
— The New York Times

Who's Accountable?

Someone should be held accountable for both scraping (collecting) such data then combining it for profit as well as allowing it to be copied into an unprotected cloud account unnoticed.

If both companies (and the company officers) were bankrupted for this breach, perhaps the tracking of such sensitive data would be less attractive and companies would spend money securing customer data as carefully as confidential company data.

TransUnion Data Breach

TransUnion's 2019 data breach affected 37,000 Canadians.

The personal information of about 37,000 Canadians held by TransUnion may have been compromised this past summer, leaving both of Canada's credit monitoring agencies with data blemishes on their record. TransUnion says someone fraudulently accessed data using a customer's login credentials.
— CBC

It is disconcerting that those protecting businesses from fraud are so lax in their security. One reason is that TransUnion and Equifax serve businesses, not consumers.

NCIX Computers

Following the bankruptcy of computer retailer NCIX in Vancouver their computers were never wiped to remove customer data before they were sold.

This personal information included IP, home and email addresses, passwords, credit card information and social insurance numbers.

Not only did the company fail to ensure that the computers containing customer information were wiped, but that data was so poorly encrypted that the information was sold on Craigslist.

Whoever is responsible for the careless disposal of the company assets is to blame. Bankruptcy protection should not remove liability for those responsible for not securing that information, including the former officers of that company.

Weird Online Data Dump

This is an example of a relatively-unknown data dump that had the potential to be significant but perhaps was caught before it caused too much havoc.

An open (not password protected) 4 terabytes of data from the People Data Labs (PDL) and OxyData.io (OXY) contained cross-linked information on over 1.2 billion people was found on October 16, 2019. PDL and OXY are data enrichment companies. What they do is allow companies to search:

• Over 1.5 billion unique people, including close to 260 million in the US
• Over 1 billion personal email addresses. Work email for 70%+ decision makers in the US, UK, and Canada.
• Over 420 million LinkedIn URLs
• Over 1 billion Facebook URLS and IDs.
• 400 million+ phone numbers. 200 million+ US-based valid cell phone numbers.

De-duplicating the nearly 3 billion PDL user records revealed roughly 1.2 billion unique people, and 650 million unique email addresses, which is in-line with the statistics provided on their website. The data within the three different PDL indexes also varied slightly, some focusing on scraped LinkedIN information, email addresses and phone numbers, while other indexes provided information on individual social media profiles such as a person's Facebook, Twitter, and Github URLs.
— Check Point blog

It is interesting that the data is an accurate copy of data obtained from 2 different companies blended into one database. Someone either was a very large customer of both companies or managed to hack both databases.

Why was it available on an open IP address (35.199.58.125) rather than hidden away?

Return to top

Have You Been Hacked?

It is important for you to learn as soon as possible about any data breaches that may affect you. Unfortunately, not all breaches make it into the news nor do all companies report breaches to those directly affected.

Search These Databases

These sites not only list many of the largest breaches, but can search databases to see if you've been affected:

• Mozilla Monitor can check for compromised email addresses.
• Have I Been Pwned? can search for email addresses, passwords, phone numbers and more that may have been affected.

If You've Been Affected

Class Action U was founded with a singular purpose: “To support everyday people in holding large corporations accountable when they fail to protect their consumers.” This US resource has much information that will help you if you've been affected by a data breach.

Change Your Passwords

If you have an account that has been compromised in a data breach, change passwords for those accounts (and any others using the same user names and/or password). Today, most accounts use your email address to log into accounts, so a unique password for every account is critical.

Stop Reusing Passwords

Reusing passwords can mean that multiple accounts have been hacked since the breach.

Using the same easy-to-remember password everywhere is a great way to put your accounts at risk. You should care about your data showing up in a data breach because bad actors could use this information to take over your sensitive accounts or even steal your identity.
— PCMag

Learn more about safe password practices.

• What to do if your personal data has been compromised (Class Action U).
• How to protect yourself from the impact of data breaches (UK National Cyber Security Centre).
• How to find out if you are involved in a data breach — and what to do next.
• So you've been pwned: What to do when your private data goes public.
• 7 steps to take right after a data breach.
• Receiving a privacy breach notification.

Return to top

Where is the Accountability?

Many of these companies either are unaware that the breach took place (indicating technical incompetence) or have opted not to report the breach to those affected (essentially fraud). Insufficient security resources to protect the information in their care should not be an accounting decision.

Clearly, company executives have no skin in the game. They should be personally liable and their personal assets should be on the line, including criminal charges.

What Companies Can Do to Minimize Data Breaches

The best advice comes from the 2018 Verizon Data Breach Investigations Report:

Be vigilant

Don't wait to find out about a breach from law enforcement or a customer. Log files and change management systems can give you early warning of a security compromise.

Make people your first line of defense

Do your employees understand how important cybersecurity is to your brand, and your bottom line? Get them on board, and teach them how to spot the signs of an attack and how to react.

Only keep data on a need-to-know basis

Do you know who can see your sensitive data and systems? Limit access to the people who need it to do their jobs, and have processes in place to revoke it when they change roles.

Patch promptly

Cybercriminals are still successfully exploiting known vulnerabilities. You can guard against many threats simply by keeping your anti-virus software up to date.

Encrypt sensitive data

Do what you may, one day you're likely to be the victim of a breach. But by encrypting your data you can render it useless if it is stolen.

Use two-factor authentication

Phishing campaigns are still hugely effective. And employees make mistakes. Two-factor authentication can limit the damage that can be done if credentials are lost or stolen.

Don't forget physical security

Not all data theft happens online. Surveillance cameras and entry systems for restricted areas, for example, can help avoid criminals tampering with systems or stealing sensitive material.

Business Responsibilities

Canada's businesses and employees need to understand that ignoring the problem is not acceptable and that the consequences for businesses and employees involved could be significant. Failure to report a breach is fraud.

Corporations must be held legally and financially accountable for security breaches that affect customers. There need to be fines, investigations, and court-ordered consequences. Money needs to be spent on lawyers — a lot of money. The current model where customers have to spend their own money and energy to bring lawsuits to bear is unreasonable.
— PCMag

A large number of breach incidents were the result of individual phishing attacks or phone scams which means that public education needs to be stepped up.

We need to look at how technology can be used to catch criminals or remove their access to Canadian phones and email accounts.

Employee Snooping is Fraud

Employee snooping, whether malicious or simple curiosity, needs to be stopped. A “need to know” should be a first line of defense backed by severe penalties for failure to protect privacy.

Not only should personal data be protected by excellent security, but there should be a tracking system that records who accessed the data and when.

Businesses should be responsible for their employees. Training in security, accountability and ethics as a condition of employment is the least of those responsibilities.

• Ten tips for addressing employee snooping.

Privacy Laws Out of Date

Responding to such shocking numbers is important. Canada's privacy laws are over 35 years old and greatly out of date, especially compared with other countries.

Privacy should start with our political parties. It is shocking that our federal parties totally ignore privacy laws and that our governments not only spy on us but share that information widely both internally and internationally.

Existing laws pre-date the Internet, cell phones, social media not to mention wide-spread surveillance and data collection. And Canadian legislation has been both slow to materialize and often ineffective as written. Privacy laws need to be written for consumers, not to protect businesses from repercussions of their negligence.

People in Canada deserve strong new privacy laws — but right now, a pending bill will actually WEAKEN some of our existing privacy protections.
— OpenMedia

If companies faced massive fines for failing to protect the data they collect “just in case” its useful, they would be far less likely to collect it as well as secure what they collected more effectively.

Return to top

Related Resources

On this site:

• Resources index
• Restoring privacy
• Identity theft
• Phone fraud
• Phishing
• Oversharing on social media?
• Malware & spyware
• Encryption: Protecting your data

Found this resource useful?