Canada’s Privacy Commissioner, Philippe Dufresne, has launched an investigation into a cyberattack impacting the personal data of current and former members of the Canadian armed forces and the Royal Canadian Mounted Police (RCMP).
The breach, reported by Brookfield Global Relocation Services (BGRS) and Sirva Canada LP, involved sensitive data linked to personnel relocation services contracted by the Canadian government since 1995, encompassing approximately 20,000 annual moves.
Despite the significant data volume compromised, the investigators have yet to determine the specific individuals affected by the breach, encompassing a wide range of personal and financial information provided to these companies.
Preliminary information suggests the breach could impact individuals who have utilized relocation services since 1999, potentially reaching an estimated 480,000 people, pending consistent relocation rates over time.
Philippe Dufresne highlighted the need for an investigation to comprehend the incident’s cause, rectify the situation, and fortify preventive measures against such breaches in the future, emphasizing the potentially sensitive nature of the compromised data.
The Privacy Commissioner’s investigation aims to evaluate the adequacy of security measures mandated under Canada’s Privacy Act, examining safeguards implemented by both the companies and the federal government to safeguard personnel data.
Moreover, the probe will scrutinize if the security incident constitutes a breach of Canada’s federal private sector law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Unlike the EU’s GDPR, the Privacy Act lacks fines for inadequate data protection. However, under PIPEDA, companies could face penalties of up to $100,000 CAD ($73,000) per violation for breaching data protection regulations.
In response to the breach, the Canadian government pledged support to potentially affected personnel, offering credit monitoring services and the reissuance of valid passports to individuals relocated within the past 24 years as precautionary measures.
