More Than Half of Canadians Have Been Affected by a Data Breach in Less Than a Year

It seems that cybercrime is everywhere these days, but many of us foolishly continue to believe that cybercriminal activity will not affect us. Well, if you live in Canada, there is a very good chance that you have been affected by it already. You just might not know it yet. According to the most recent data, more than half of Canadians have been hit by data breaches between November 2018 and June 2019. Unfortunately, by the end of November 2019 – and the end of the year since the beginning of the research – the numbers are likely to increase even more. So, have YOU been affected? Do you know what steps to take after a data breach? Continue reading, and you will find out.

19 Million Canadians have been affected since November 2018

According to the World Population Review, Canada has an estimated population of 37,5 million people. For the second-largest country in the world, this is not a huge number, but cybercriminals are exhausting all opportunities, and they have been successfully jeopardizing the virtual security of more than half of the country’s population. More specifically, since November 2018 till June 2019, personal data of 19 million Canadians has been compromised in one way or another. This number was shared by an investigative journalist Francesca Fionda, who was interviewed for Kevin Newman’s new podcast Attention Control. You can listen to the episode here, and the interview starts at 16:52. Fionda interviewed the Office of the Privacy Commissioner of Canada (OPC), and they disclosed that the data of 19 million Canadians was breached during 446 unique data breach events between November and June.

The government agency started surveying the issue more closely last November when new reporting requirements were introduced by law. According to Fionda, although the agency received six-times more data breach reports – when compared to the same period before the legislation – the requirements are still pretty blurry, and it is likely that more data breaches have occurred but simply have not been reported. This is due to the fact that the company that experiences a breach has to determine themselves whether it poses a “risk of significant harm.” Many factors are involved here. One, data breaches are not always detected in time. Two, the reputations of companies that experience them can be ruined. Three, employees responsible for cybersecurity are not always educated on the risks related, and they might determine that a breach poses no significant harm even when the opposite is true. Undoubtedly, the laws and regulations will have to be adjusted in the future to ensure that every single breach is recorded and reported appropriately.

How was the personal data of Canadian users breached?

Data breaches are often unique, and it is impossible to account for every instance. However, the Office of the Privacy Commissioner of Canada shared that 59% of all reported breaches occurred when “unauthorized individuals” were involved. These individuals may include employees who gained access to sensitive data without permission. Whether that was done by accident or intentionally is unknown, but since selling sensitive data on underground forums is a lucrative business, disloyal employees could exploit their employers’ trust. The unauthorized individuals that perform data breaches, of course, also include hackers, who can employ social engineering scams to trick gullible victims into disclosing sensitive information themselves or can drop malicious threats to gather information on a long-term basis. If we look at the remaining 41%, sensitive data can be leaked by accident when users themselves send it to the wrong person. Users can also misplace USB drives, hard drives, and other devices that may contain sensitive information.

Steps to take after a data breach

Before you respond to a data breach, first and foremost, you need to make sure that it is real. Schemers often send fake emails and warnings suggesting that, for example, a password change is required because of a breach. Unfortunately, that is just a trick to extract sensitive data and perform an actual data breach. If you receive a warning email, make sure the sender is legitimate, and double-check with authentic news sources to make sure that a real incident was discovered.

If you end up learning that hackers could have compromised login credentials (usernames and passwords), it is imperative that you change this data immediately before the attackers can block you from accessing your accounts completely. For example, the Air Canada data breach that occurred last year put passport-related information at risk, and victims were urged to change passwords to prevent unauthorized access to that information. Setting up weak passwords is not an option because such passwords can be brute-forced, and that is one of the ways that remote attackers can perform data breaches in the first place. So, if you are informed about a breach that affected your password, you need to make sure you replace it with something strong. We advise implementing a trusted password manager program because it will make changing or upgrading passwords extremely easy. Furthermore, there are plenty of other benefits to using this program.

If the company that experiences a privacy incident is transparent about what data was compromised, they should make it clear which steps to take after a data breach. While in most cases, it is enough to change passwords and keep an eye out for suspicious activity from accounts that could have been compromised, in other cases, you might need more personal help. For example, if your healthcare provider leaks information about your health conditions or makes it possible for unauthorized actors to take out fake drug prescriptions, you might need to talk directly with that healthcare provider. The same goes with banks, credit companies, social security agencies, and so on. Ultimately, it is most important that you take action. You cannot hope that things would be sorted out automatically, and you need to take matters into your own hands even if you did nothing to cause a data breach in the first place.