CBSA data breach exposes information of 18,000 employees

Breach caused by one employee's mistake: report

CBSA data breach exposes information of 18,000 employees

A mistake by one employee has caused a massive data breach at the Canada Border Services Agency (CBSA), according to a recent report. 

The incident happened on Feb. 3, when the personal and workplace details of approximately 18,000 employees of the government agency were mistakenly shared with 70 managers in an internal email, reported the Vancouver Sun. 

“The breach resulted from an employee taking a large data file off a mainframe system to create a custom report, then mistakenly sharing the entire source file alongside the custom report,” said CBSA spokesman Luke Reimer in the report. 

Nine in 10 data breaches in 2023 originated from phishing attacks targeting employees, as Secure Email Gateways (SEGs) struggle with more sophisticated phishing campaigns, according to a previous report from Cofense

Employee information affected in the CBSA breach include: 

  • personal record identifier 

  • classification level 

  • employment status 

  • gender 

  • generation 

  • pension eligibility 

  • shift schedule 

  • language profile (including expiry dates) 

  • leave balances 

On Feb. 6, the CBSA sent a message to the managers telling them to immediately delete opened and unopened copies of the email, said Neil O’Brien, director general and chief privacy officer at CBSA, in an email to staff. Affected CBSA staff were notified of the internal data breach in a Feb. 7 email. 

“It is normal for limited personal information to be shared amongst work units in relation to shift scheduling, but the inclusion of additional employees from across the country and the additional information listed above represents a privacy breach,” he said in the email, a copy of which was acquired by Post Media. 

“The CBSA is also tracing the electronic trail of all instances of this information in order to ensure that all copies are deleted and working with recipients to help prevent further sharing,” O’Brien wrote. 

O’Brien noted that CBSA is investigating “how such a large data holding could be retrieved from our systems, shared over our networks and the conduct of the employees involved.” 

While the risk of identity theft is considered low, CBSA has implemented security measures to prevent misuse of the exposed data. 

To prevent similar incidents in the future, CBSA has notified the Office of the Privacy Commissioner of Canada and is reviewing its internal security protocols, according to the Vancouver Sun

In 2024. Global Affairs Canada (GAC) looked into a cyber attack that had affected its system for over a month. 

How should HR handle a data breach? 

In case companies fall victim to a data breach, employers should “take immediate, common sense steps to limit the breach,” according to the Office of the Privacy Commissioner of Canada. These include: 

  • Immediately contain the breach (e.g., stop the unauthorized practice, recover the records, shut down the system that was breached, revoke or change computer access codes or correct weaknesses in physical or electronic security). 

  • Designate an appropriate individual to lead the initial investigation. This individual should have appropriate scope within the organization to conduct the initial investigation and make initial recommendations. If necessary, a more detailed investigation may subsequently be required. 

  • Determine the need to assemble a team which could include representatives from appropriate parts of the business. 

  • Determine who needs to be made aware of the incident internally, and potentially externally, at this preliminary stage. Escalate internally as appropriate, including informing the person within your organization responsible for privacy compliance. 

  • Do not compromise the ability to investigate the breach. Be careful not to destroy evidence that may be valuable in determining the cause or allow you to take appropriate corrective action. 

“Once the immediate steps are taken to mitigate the risks associated with the breach, organizations need to take the time to investigate the cause of the breach and consider whether to develop a prevention plan. The level of effort should reflect the significance of the breach and whether it was a systemic breach or an isolated instance,” said the government agency. 

This plan may include the following: 

  • a security audit of both physical and technical security 

  • a review of policies and procedures and any changes to reflect the lessons learned from the investigation and regularly after that (e.g., security policies, record retention and collection policies, etc.) 

  • a review of employee training practices; and iv) a review of service delivery partners (e.g., dealers, retailers, etc.). 

Recently, the federal government introduced a new National Cyber Security Strategy aimed at strengthening the country’s digital defenses as cyber threats continue to evolve and pose risks to Canadian businesses and employees. 

Latest News

Four provinces increasing minimum wage next month
4 in 5 Canadians seeking step-by-step guidance after death in family: Survey
Why character matters more than competence in leadership
More than one-third of execs trust AI to make business decisions: survey
So much feedback, not enough time: reports reveal HR struggling with onslaught of employee feedback