Information & Ethics Committee on Dec. 5th, 2024

Thank you, Mr. Chair.

Members of the committee, thank you for the invitation to speak to this critically important issue.

Data breaches have surged over the past decade, in scale, in complexity, and in severity. As stewards of sensitive personal information, government institutions are attractive targets.

To ensure that personal information is protected, federal organizations, including my office, must be continuously adapting to an evolving threat environment.

In February 2024, we tabled a special report to Parliament with our conclusions on an investigation into a 2020 credential stuffing incident that impacted the Canada Revenue Agency, or CRA, and Social Development Canada, or ESDC.

During the final stages of this investigation, we learned of other breaches related to CERB fraud that the CRA had not reported to the OPC, dating back to 2020 and affecting up to 15,000 individuals. We indicated these breaches in our special report and added that we would be following up on this with the CRA.

The OPC recommendations in this investigation included improving communications and decision-making frameworks to facilitate a rapid response to attacks and developing comprehensive incident response processes to prevent, detect, contain and mitigate future breaches. Both the CRA and ESDC agreed to implement these recommendations.

On May 9, 2024, the OPC received a breach report from CRA, retroactively covering incidents from May 2020 to November 2023, which captured 31,393 separate incidents. The OPC's breach response team has met regularly with the CRA since then to find out more about the CRA's response to the situation and to be kept up to date on the actions that the CRA is taking to address the breaches, to notify, and to mitigate risks to Canadians.

There have been ongoing discussions related to the breach report but also pertaining to the February 2024 investigation report, given the linkages between both. Indeed, the CRA confirmed that, of the 31,393 incidents, approximately 15,000 related to the CERB fraud incidents that were mentioned in our Special Report to Parliament.

In the context of our ongoing engagement with them, on October 25, 2024, the CRA notified my office of approximately 3,200 additional material breaches that occurred in 2023 and 2024 and were assessed retroactively.

This fall, the CRA sought and ultimately obtained an exception from the Treasury Board, so that it could report individual cases of unauthorized use of taxpayer information by a third party to the TBS and to my office on a quarterly basis, instead of within a seven-day period, for operational reasons.

I indicated to the TBS that while I would support this exception, I recommended that it be for a limited time period of 12 months; that the CRA be required to promptly notify and provide information, support and advice to affected individuals; and that the breach reports include additional details including how and when affected individuals were notified and what additional actions were taken by the CRA to improve personal information safeguards.

On October 29, 2024, following the receipt of a complaint, I launched a formal investigation. This investigation will determine whether the CRA met its obligations under the Privacy Act and whether it employed adequate safeguards and breach response processes.

The privacy breaches at the CRA, both in the earlier credential stuffing investigation and in the one more recently reported, underscore the risk to personal information and the importance that must be placed on addressing and mitigating all breaches, including cyber-incidents.

My office regularly engages with federal institutions by providing advice and helping to assess the privacy impacts of new programs and technologies, following up on the response to breach incidents, resolving situations that were raised through privacy complaints, and conducting investigations. Each engagement and compliance activity plays an important role in supporting and advancing privacy protection across the Government of Canada, which is increasingly complex and significant in this digital era.

This includes advice and guidance to support organizations in addressing and mitigating the risks posed by breaches, including on how to prevent, contain and report breaches, as well as the importance of notifying affected individuals.

Data breaches represent one of the most significant threats to personal information globally. In the 2023‑2024 fiscal year ending on March 31, 2024, my Office received over 350 reports of cyber incidents, the vast majority, or over 90%, from private-sector organizations.

This year, I launched investigations into other major privacy breaches. These included the Ticketmaster breach that impacted over half a million Canadians, as well as a joint international investigation with my counterpart, the United Kingdom Information Commissioner, into the 23andMe data breach, which involved sensitive DNA data.

We know that breaches can occur even when organizations have put safeguards in place. This is why an effective response to a breach is also critical to mitigating the impact on Canadians and preserving trust in their institutions.

Given the significance of these risks and the potential impacts they can have on individuals, timely breach reporting requirements need to be made a legal obligation under the Privacy Act rather than a Treasury Board Secretariat policy requirement, as they currently are.

In 2023, the OPC requested and obtained additional temporary funding as part of budget 2023 to deal with breaches. While this request was for temporary funding for a two-year period, I believe that permanent funding is required, as breaches are a permanent and growing concern that pose a significant threat to individuals and organizations.

In a digital world where the risks are higher than ever, investing in privacy is crucial. Privacy protection must be embedded throughout government programs and services.

We must also continue to progress on efforts to modernize Canada’s privacy laws, both the private-sector law and the Privacy Act, which predates the Internet.

I also commend the committee's continuing valuable work in this area, including its report on the federal government's use of technology that can extract data from mobile devices and computers. Another example is the report released just today on regulating social media platforms to ensure online privacy and security.

We also need to ensure that my office is adequately resourced, given the increasingly complex data landscape.

This will continue to be a priority for us, and I will look forward to your committee’s report on this important issue and many others.

Thank you, and I would be pleased to answer your questions.

That's when we received the formal notification of those breaches. Treasury Board policy requires that a formal notification be given to my office within seven days of the organization being made aware of it. In this case, clearly, this didn't happen, because some of those incidents date back to 2020.

Yes, for some of them, that is correct. They identified that it was operationally challenging for them to do that. They requested this exception. As I indicated, I was prepared to support it with some conditions.

The three months and seven days may not make a big difference, but the seven days and three years that we're talking about in this instance is a major concern. Again, if it's for specific operational reasons and for a specific amount of time, that's a different question. The concern that we see, and we saw it, in fact, even in this earlier investigation of the GCKey, which we reported on in February. Even then we had some concerns about being notified and getting responses in time.

It's a concern, not just for CRA. That's why it should be a legal obligation.

What we hear is that there's a focus from the departments on notifying the individuals, and that's a good thing. That's important, and you need to contain the breach. I don't know the reasons we were not notified formally by the deadline, but what I do know is that it's a concern. If we're not notified in time, we can't provide advice and guidance in time, and that elevates the risk for Canadians.

I also know that if something is required by law, there's a greater likelihood that it's going to be complied with than if it's required merely in policy or directive.

We want to understand what happened. We want to understand whether the measures were sufficient. We need to have the context. If there were some third parties who were involved in this situation, then we're going to look at that. If it raises questions under private-sector or public-sector privacy law, then we'll address that and see whether we need to amend the scope of the complaint.

Our position is that if the government is contracting with third parties from the private sector, the government has an obligation to make sure its third party partners are providing adequate protection.

There are really three categories.

You notify the individuals because you need to protect them, and you need to make sure they can protect themselves. You need to notify the regulator, which is my office. Finally, you need to notify Treasury Board and others.

However, the question of notifying the public then becomes a question of trust. How do you make sure the public isn't learning of this from the media while considering that the individuals may also be learning of this from the media? In fact, I think this was discussed in earlier testimony.

There's also a taxpayers' ombudsperson, and there's a taxpayers' charter, and one of the principles in it is also that taxpayers be notified promptly if there are fraud schemes and so on, again, for the reasons that this is important for trust and it's important to manage the stress level of individuals.

That's right, although I think there's something to be said about acknowledging a challenge in meeting a requirement, explaining why and seeking an exception. I think it's better than breaching it and not doing anything and not saying anything about it. I think that's an important element.

To your question, yes, our investigation will look at that. We'll make some recommendations, as we did in the earlier investigation. Our earlier recommendations included improvements in communication and accountability. We found in that earlier case that there were departments pointing fingers at each other and saying, “It's not us; it's this department or that department.” We found that was an issue and had to be corrected.

We can see different situations. One could be an employee snooping. Someone is looking at information that isn't theirs. They're not entitled to it. There's not enough security around that. We also saw, in the investigation, credential stuffing. Someone finds out your password, and you're using that same password with many accounts and devices.

There could be a number of factors. You could have a situation where they find it out from individuals, third party vendors or other sources. Then it's reused.

That's not what it seems to be, at this stage.

We're going to be investigating and reaching our conclusions. It's a situation where it appears passwords were obtained elsewhere, then used to gain access to some of the devices.

In our subsequent investigation, we'll look at all of the circumstances and make a recommendation.

One of the big issues we had in our previous investigation was the authentication of users and the fact that there is a lack of multifactor authentication. That was because the sensitivity and risk were assessed to be too low. That is one of the trends we see. It's not just in this instance but also in other instances. There's a sense that harm to individuals is not being treated at the level it should be. They said, “Well, you're just losing some money. It's not your health.”

That was an instance when we disagreed. We said, “Well, this is being assessed at a level 2 risk. We're assessing it at a level 3 risk.” In fact, if a fraudster takes $1,000 from you, you can get sick from that. You can get stressed about that. You can end up in major situations—owing money, going to court and all of those things. We found this is a level 3 risk. If you treat it as a level 3 risk, you're going to put in place level 3 protections, with multifactor authentication.