Data breach at border agency contractor involving up to 1.38 million license plates

According to the Federal Privacy Watch Agency, a data breach at a Canadian border control agency contractor involved 1.38 million license plate images and related information.

In a report detailing the investigation, the Privacy Commissioner’s office cited inconsistencies in the way the Canadian Border Services Agency manages license plate information and lack of security measures.

It highlights the lack of adequate contractual clauses to ensure that the border agency’s private sector partners are adequately protecting information.

The report, completed in May, was submitted to parliament on Thursday as part of Privacy Commissioner Philippe Dufresne’s annual report.

Watchdog files complaint and launches investigation following media reports in 2019 of cyberattack against U.S.-based third-party contractor used by both Canadian border agency and its U.S. counterpart Did.

At the time, Canada’s Border Agency told the Privacy Commissioner that the infringement involved approximately 9,000 photos of license plates collected from travelers entering Canada at the border crossing in Cornwall, Ontario. .

The investigation revealed that the number of Canadian border agency license plate image files compromised in the breach was much higher, up to 1.38 million including duplicates.

About 11,000 of them were reportedly posted on the dark web, an underground reach that shadows the internet.

The image files were also found to contain metadata including the associated state or states associated with the license plate, the date and time the image was taken, and numeric codes representing border crossing points and lane numbers. rice field.

The Border Agency told the commissioner that it does not consider license plate images to be personal information. did not.

A privacy watchdog found the files to be personal information under the privacy laws of some individuals.

Some personal information, such as medical records and financial data, is almost always considered sensitive, but in some circumstances, any personal information can be, the report says.

“This study is designed to assess whether information collected in the delivery of programs and services is considered personal information and to develop agreements containing appropriate privacy clauses to protect it. and underscores the value of working together with privacy professionals.”

The commissioner’s office ultimately concluded that the self-filed complaint was well-founded because the border agency violated the Privacy Act’s provisions on disclosure of information.

The Secretariat recommended that the Border Agency review contracts with service providers to clarify that license plate image files constitute personal information.

The Commissioner said the key lesson from the incident is that privacy obligations apply whether data is processed by a government agency or by a contracted third party acting on behalf of a government agency. is.

The Commissioner will consider the complaint resolved based on the Border Agency’s response to the investigation and acceptance of its recommendations.

Jim Bronskill

canadian press