P2021-ND-288

Between September 27 and October 4, 2018, an unauthorized third party attempted to gain access to Checkout 51 accounts via the Checkout 51 login application program interface (API). The incident arose out of an apparent reuse of usernames and passwords. The third party may have attempted to gain access to the Checkout 51 accounts of users who use the same username and password on multiple websites. When a new device or web browser successfully accesses a user?s Checkout 51 account using the user?s username and password, the Organization sends an email to let the user know account access has occurred. During the relevant period of time, 34,000 such login notifications were provided globally, including notifications sent to 758 Alberta residents. A number of users responded to the notifications indicating that they had not logged-in to their Checkout 51 account. None of these responses were from Alberta residents. The Organization investigated and found the data that may have been accessed by unauthorized individuals consisted ?solely of non-sensitive information available through each user?s Checkout 51 account?. Of the 34,000 logins, 258 had a change in email address or mailing address. After reviewing these account changes, the Organization indicated that none appeared to be obviously suspicious in nature and none of these 258 account holders were residents of Alberta. The Organization reported that there is no evidence that the affected personal information has been misused as a result of the incident and does not believe that the incident poses a real risk of significant harm.

File Type: pdf
File Size: 647 KB
Categories: 2021