Canadian Privacy Decisions

This report details three incidents in 2017 where Canadian organizations experienced data breaches due to password reuse by their customers. In each case, attackers used login credentials obtained from unrelated breaches to access customer accounts. The Office of the Privacy Commissioner of Canada found the organizations' responses to be appropriate, including actions like password resets, enhanced security measures, and customer notifications, and encouraged other organizations to adopt similar preventative strategies.

• Impact of password reuse on personal information security
• Adequacy of organizational responses to data breaches
• Effectiveness of safeguards against unauthorized access
• Communication and notification obligations to individuals

This report details an incident where a fraudster impersonated an unknown individual to trick a financial institution's employees into revealing customer contact information. The fraudster then used this information to extract further personal details from approximately 100 customers, increasing their risk of identity theft. The financial institution took immediate steps to mitigate the breach, including offering credit monitoring and enhancing staff training.

• Effectiveness of internal controls to prevent unauthorized disclosure of personal information
• Adequacy of breach response and mitigation measures
• Risks of identity theft and fraud due to personal information disclosure

The requester sought access to the Firearms Registry database from the RCMP on March 27, 2012. The RCMP provided an incomplete response, which the requester argued was not justified and that the destruction of records obstructed their access rights. The OIC investigated the complaint.

• Incompleteness of the provided information
• Lack of justification for incomplete response
• Destruction of records obstructing right of access under section 67.1 of the ATIA