Breach Notification Decisions

The Personal Information Protection Act requires private sector organizations to notify the Commissioner and affected individuals where there exists "a real risk of significant harm" to an individual as a result of a privacy breach (section 34.1).

Decisions where there was a real risk of significant harm are made available. Decisions where there was no real risk of significant harm are not made available.

Under the Health Information Act, the Commissioner may confirm a custodian’s decision not to notify or by order require notice to an affected individual (section 85.1(2)). On occasion, those decisions are published.

Breach DecisionOrganizationSummaryLink
P2024-ND-001

Ernst & Young LLP

On June 30, 2023, the Organization, through legal counsel, informed my office about the unauthorized access of personal information under the Organization’s control. My office contacted the Organization’s legal counsel in July and September 2023. On September 15, 2023, the Organization, through legal counsel, stated “there is no real risk of significant harm to individuals as a result of the incident.” My office followed-up with legal counsel in October and November 2023, requesting clarification on …
P2023-ND-020

CDI Education Inc., Reeves Education Inc., VCAD Education Inc.

On November 14 and November 15, 2021, legal counsel confirmed the Organizations were the subject of a ransomware attack. On October 31 and November 4, 2021, the Organizations discovered that certain of their systems had been encrypted. The incidents did not impact the Organizations’ critical business operations. Having received no further information from the Organizations, my office asked the Organizations’ legal counsel on May 9, 2023, if the Organizations could confirm whether their investigation into …
P2023-ND-018

Copper Mountain Mining Corporation

On December 27, 2022, the Organization’s IT systems at its corporate office were subject to a ransomware attack that encrypted several of its servers and business applications. The Organization determined that the threat actor likely gained unauthorized access to and likely exfiltrated certain data from its IT systems, including certain personal information.
P2023-ND-016

Klondike Insurance Agencies Ltd.

At the time of the incident, the Organization obtained information technology (IT) services, including cloud hosting, from a third party, Sandbox West Cloud Services Inc. (Sandbox). On or about February 11, 2023, Sandbox was victim to a ransomware attack. Sandbox first notified the Organization on February 12, 2023. On March 19, 2023, Sandbox provided the Organization with supplemental information; a letter confirmed “threat actors” conducted a “ransomware attack” and advised all “customers” about the potential …
P2023-ND-015

Belal Najmeddine Professional Corporation o/a Edmonton Law Office

On December 3, 2022, a break-and-enter occurred at the Organization’s office. The incident was discovered by police. The Organization conducted an inventory following the incident; “thieves … stole anythign [sic] that appeared to be of value including computer screens … but most importantly, the law firms [sic] server and back up drive containing information on client files such as correspondence between lawyers and clients. The drives and server are password protected.” In a January 20, …
P2023-ND-014

LastPass Technologies Canada ULC

The Organization’s website says it is a provider of “password and identity management solutions.” One of the Organization’s products / solutions is “a secure digital vault for passwords and login details…” As part of its operations, the Organization “uses Amazon Web Services (AWS) for routine cloud storage, archiving and back up services…” On November 2, 2022, the Organization was alerted to suspicious activity within its cloud storage environment. On November 27, 2022, the Organization identified …
P2023-ND-013

Shopper+ Inc.

The Organization operates a number of online storefronts. In the course of its operations, they obtain certain services from Amazon Web Services (AWS). On February 8, 2023, the Organization “received feedback from an anonymous caller about a data file allegedly containing … customer records leaked on a … breach forum.” The Organization investigated; they assessed the records to be “highly similar to a CRM-exported data file with customer records stored on AWS S3.” The Organization …
P2023-ND-012

CareVest Capital Inc.

On April 20, 2022, an employee was victim to a phishing attack. The incident was discovered on April 28, 2022. The Organization believes the attack resulted in the compromise of an email inbox.
P2023-ND-011

PayPal Canada Co.

Between December 6 and 8, 2022, the Organization was subject to a credential stuffing attack. An investigation confirmed personal information may have been accessed and downloaded by the unauthorized third party.
P2023-ND-010

AltaLink Management Ltd. o/b/o AltaLink Limited Partnership

At the time of the incident, the Organization obtained cloud-based recruitment services provided by a third party vendor (HireGround). On September 7, 2022, the Organization?s vendor was victim to a cyberattack. The threat actor subsequently ?gained access to the database back-up? and obtained personal information. The incident was discovered on or about September 19, 2022, when the Organization received demands for financial compensation in exchange for destroying ?stolen documents/data.?
P2023-ND-009

EPCOR Energy Alberta LP

On September 22, 2022, an employee misdirected an email containing personal information about the affected individual who is also an employee. The unintended recipient, who is also an employee, alerted the Organization of the mistake.
P2023-ND-008

Managed Health Care Services, Inc. (Organization) reported by Sobeys Capital Incorporated

“Sobeys is a national food retailer operating under several brands, and also engages in various other businesses, including group benefits administration services offered through its affiliate, MHCSI.” On November 3, 2022, the Organization “became aware of a potential IT issue.” On November 4, 2022, the Organization determined it was victim to a ransomware attack when “multiple … systems were encrypted by an unauthorized third party.” An investigation “determined that an unauthorized third party was first …
P2023-ND-007

Sobeys Capital Incorporated

On November 3, 2022, the Organization “became aware of a potential IT issue.” On November 4, 2022, the Organization determined it was victim to a ransomware attack when “multiple … systems were encrypted by an unauthorized third party.” An investigation “determined that an unauthorized third party was first able to access [the Organization’s] network on October 14, 2022 when [an] employee downloaded and executed a file sent to the individual in connection with a phishing …
P2023-ND-006

Sobeys Capital Incorporated

On or about October 31, 2022, the Organization became aware that various online services were targets of unauthorized access. An investigation found multiple occurrences between October 29 and December 22, 2022, where one or more threat actor(s) attempted to – or successfully – accessed personal information via unauthorized API calls and a credential stuffing attack. With respect to the credential stuffing attack, the Organization believes threat actor(s) obtained and used compromised credentials from “a third-party …
P2023-ND-005

Carousell PTE Ltd.

On January 15, 2022, the Organization completed a system migration. As a result of this migration, a misconfiguration was introduced in an external-facing application programming interface (API). As a result of the migration, a filter was inadvertently omitted and the API fetched additional details. On September 15, 2022, the misconfiguration was discovered and fixed. On October 13, 2022, the Singapore Data Protection Commission (PDPC) and Computer Emergency Response Team of the Cybersecurity Agency of Singapore …
P2023-ND-004

Running Room Canada Inc.

On November 19, 2022, an unauthorized group obtained access to the Organization?s Canadian online shop checkout between the dates of November 19, 2022 to January 18, 2023. The Organization is working with law enforcement who notified the Organization that a USA agency identified an active infection on ca.shop.runningroom.com.
P2023-ND-003

Harry Rosen Inc.

Threat actor(s) accessed the Organization’s network without authorization and used this access to deploy ransomware that encrypted files and likely also to steal data. The Organization is continuing to monitor the dark web. The Organization’s forensic investigation is continuing.
P2023-ND-002

Lighthouse Psychological

On August 8, 2021, the Organization sent an email to multiple email addresses using the “To” field instead of the “Bcc” field. When the email went out all the people included in the email could see everyone else’s email. The email contained a notice that the psychologist’s email had changed. Two clients informed the Organization of the mistake.
P2023-ND-001

Felix Pharmacy West Inc.

On September 16, 2022, the Organization became aware of an IT issue impacting its local operations. Specifically, Felix West employees were unable to access the local pharmacy database server. The Organization discovered that an unauthorized third party initially gained access to the pharmacy’s systems on May 29, 2022 and encrypted certain servers on September 16, 2022. The Organization reported, “there is no evidence of any actual access to or exfiltration of customer personal information, however, …
P2022-ND-083

The Canadian Red Cross Society

To participate in the RFL program and provide this assistance, the Organization collects and inputs personal information into the international RFL system. This system is managed by ICRC and stored by ICRC?s external data centre service providers. On January 19, 2022, the Organization was advised by ICRC that the RFL system was the subject of a cyber security incident starting on November 2, 2021. ICRC indicated to the Organization that it has no immediate indications …
P2022-ND-082

Collabria Financial Services Inc.

On July 27, 2021, a previous staff member came into the Organization’s office to return the filing cabinet key. While there, the previous staff member unlocked the filing cabinet which contains staff files and took their file, along with the files of two other staff members who they hired, despite being told to leave the files in the cabinet. The Organization reported that the files were returned to the Organization after the Privacy Breach Form …
P2022-ND-081

CUPS Calgary Society

On October 21, 2021, a staff member received a phishing email from a trusted email account and was prompted to enter user ID and password. This resulted in the same phishing link to be sent out to the staff member’s entire contact list.
P2022-ND-080

Sagium Corporation

On June 25, 2021, the Organization discovered that an unauthorized third party had gained access to its email account using a phishing email that harvested the user?s credentials. For a limited time, the third party was able to view emails that the account had sent. The forensic firm hired to investigate the incident did not identify evidence of data access or exfiltration within its network beyond any attachments included within the compromised email account.
P2022-ND-079

Advantage Welding & Fabrication

The Organization uses the service provider, Brokerlink (insurance brokerage). A BrokerLink employee left a workbag, containing a laptop and a paper insurance application, in their car. On August 26, 2021, the car was broken into and the workbag was stolen. The paper insurance application was not recovered. BrokerLink reported it ?is confident there was no personal information exposed on the laptop. BrokerLink determined there was no risk of significant harm resulting from the stolen laptop …
P2022-ND-078

Primerica Life Insurance Company of Canada

Sometime between July 16, 2021, and September 2, 2021, medical kits containing vitals, blood and urine were collected from the Organization?s clients for the purposes of applying for an insurance policy. The paramedical vendor that the Organization used, couriered the medical kits to the lab; however, the courier misplaced the kits in transit. The courier has not been able to locate the kits. The kits are assumed missing.
P2022-ND-077

MTG USA, Inc.

The Organization became aware of suspicious activity on its website and launched an investigation. On September 9, 2021, its investigation confirmed that an attacker placed malicious code and JavaScript on its website, which was designed to capture payment card information. The investigation concluded that the incident occurred between June 25, 2020, and June 15, 2021, potentially exposing certain transactions. The specific cause has not been identified
P2022-ND-076

Financial Strategies Group

On June 16, 2021, the Organization?s office was broken into. Staff discovered the incident when they arrived to the office on June 17, 2021. Several paper life insurance files were stolen. The desktop computer was stolen. It was password-protected. The technology systems are encrypted. Only one stolen cheque was recovered. There is a potential that the thieves were able to view personal information in the stolen files.
P2022-ND-075

American Councils for International Education

On April 28, 2021, the Organization became aware that a limited number of finalists in one of its programs received administrator-level viewing access to the web-based database it uses to collect and maintain records for applicants, finalists and participants in the programs it administers. The Organization determined that personal records were among those that were accessible, although the Organization have not determined what records have been viewed.
P2022-ND-074

Canada Life Assurance Company

Duplicate RRSP receipt information was requested through the Organization?s Customer Service network during the month of March. The printed copy of this duplicate was to be sent to the Organization?s Tax Reporting team on March 24, 2021, from the Organization?s print services. The printed RRSP receipts did not arrive on March 25, 2021. Despite several searches, the receipts have not been recovered.
P2022-ND-072

Cornerstone Building Brands

On November 30, 2020, the Organization experienced a data security incident. The Organization?s investigation found unauthorized access to a limited number of systems in its network. The Organization also learned that an unauthorized person had accessed certain information that was stored on its systems in late December 2020. A comprehensive review of the files was conducted and determined that they contained information pertaining to one Alberta resident.
P2022-ND-071

The HIDI Group Inc.

On August 10, 2021, the Organization had a cybersecurity incident, which may have resulted in staff?s personal information being accessed. The Organization?s team of third party cyber security experts could not confirm if data access or exfiltration occurred. In addition, throughout the investigation, the third party investigation found no evidence of misuse or publication of any employee personal information.
P2022-ND-070

CARE Canada

In October 2021, the Organization was the victim of a Microsoft Office365 tenant compromise, which is shared between CARE Canada and sister organizations CARE International United Kingdom (“CARE UK”) and CARE United States (“CARE USA”). Three compromised CARE UK service accounts, with Office 365 Administrator Privileges, were compromised and accessed CARE UK’s application. This resulted in the unauthorized access of 3,845 unique pages, emails, and files, from across the shared Office 365 environment, many of …
P2022-ND-069

Polish Bilingual Program Parent Advisory Society

On July 6, 2021, the Organization was broken into and a backpack containing emergency contact forms was stolen.
P2022-ND-068

World Financial Group Insurance Agency of Canada Inc.

On June 1, 2021, a branch office of the Organization was broken into. The break-in was reported to the police. An agent with the Organization had her double password protected laptop stolen from her locked office during the break in. The breach was discovered on June 2, 2021 when the agent went to the branch office.
P2022-ND-067

YMCA Canada – Medicine Hat

On May 31, 2021, an employee sent out an email to approximately 200 individuals (guardians) without blind carbon copying all recipients. The contents of the email were generic and did not contain any confidential or personal information.
P2022-ND-066

Association Pre-Maternelle “Les Bouts d’Choux?

On August 27th, 2021, the Organization?s preschool facility was broken into. A password protected computer and an emergency backpack were stolen.
P2022-ND-065

Lachman Consultant Services, Inc.

The Organization was victim to a ransomware attack. Unauthorized activity was first detected on the Organization’s network on or about on August 10, 2021; on August 21, 2021, the Organization determined “this was a security issue.” An investigation determined that a “threat actor compromised an employee’s credentials to gain network access.” A February 16, 2022 update states: “Personal information appears to have been exfiltrated.”
P2022-ND-064

Novotech Technologies Corporation

On September 21, 2021, the Organization discovered it experienced an unauthorized access when the Ottawa Police alerted them to a “suspected data leak”. On September 27, 2021, the Organization found that exfiltrated records were publicly disclosed on the dark web. An investigation determined that “one of [the Organization’s] corporate data drives was improperly accessed and certain information was exfiltrated.” The Organization believes a third party remote access appliance – which was susceptible to a known …
P2022-ND-063

SFC Energy Ltd.

On September 24, 2021, the Organization discovered they were victim to a ransomware attack when employees found a message on their workstations “indicating that their computer had been hacked”. An investigation determined the threat actor gained access to the Organization’s network through a vulnerability in Microsoft Exchange. It is believed the threat actor had access to the Organization’s systems for approximately two months. “There are no available logs to identify the threat actor’s specific activity …
P2022-ND-062

Porsche Centre Calgary

A database containing customer personal information was used without authorization by a former employee whose employment was terminated in 2021. The unauthorized access was discovered on or about March 25, 2022, after customers notified the Organization about unsolicited emails received at email addresses “that they have only shared with the dealership.” Some of the affected individuals explained “they had not given consent… to the sender or his organisation” and “have not signed up for the …
P2022-ND-061

Universe Machine Corporation on behalf of Saturn Machine Works Ltd.

The Organization obtains payroll administration services from a third party service provider, Universe Machine Corporation (UMC). The Organization authorized UMC to report the breach on their behalf. On August 12, 2021, UMC was the subject of a ransomware attack. It is believed that the attacker gained access to UMC’s environment via brute force attack against public facing ports. The incident was discovered the following day, August 13, 2021, when one of UMC’s managers attempted to …
P2022-ND-060

Universe Machine Corporation

On August 12, 2021, the Organization was the subject of a ransomware attack. It is believed that the attacker gained access to the environment via brute force attack against public facing ports. The incident was discovered the following day, August 13, 2021, when one of the Organization’s managers attempted to log in to their computer. A ransom demand was also found. In its January 25, 2022 update, the Organization confirmed that “the threat actor obtained …
P2022-ND-059

Canadian Tire Corporation

On August 11, 2022, a threat actor used credentials compromised in previous breaches from unrelated third-party companies to gain access to accounts of users who use the same credentials with the Organization and utilized a configuration error on an application programming interface (API) to circumvent security safeguards. The breach was discovered by the Organization on September 11, 2022. The breach affected certain Triangle Reward accounts and certain Canadian Tire accounts.
P2022-ND-058

DoorDash, Inc.

On July 31, 2022, the Organization noticed suspicious access to a customer service tool from two Alorica user accounts. The Organization promptly launched an investigation in conjunction with Alorica. By August 5, 2022, suspicious activity originating from two additional Alorica user accounts was identified. The investigation determined that the Alorica customer service agents provided their credentials to an unauthorized party in response to an apparent phishing scam. The Organization reported “The unauthorized party was then …
P2022-ND-057

Direct Energy Marketing Limited

On July 19, 2021, the Organization learned that an individual located in India was contacting the Organization’s customers purporting to be a representative of the Organization (the “Fraudster”). The Organization discovered that the Fraudster had been provided authorized access to certain customer information by HCL Technologies Limited (“HCL”). HCL is a contractor that provides customer support services to the Organization. The Fraudster was a customer service agent of HCL located in India who was first …
P2022-ND-056

Stillman LLP

On January 5, 2021, a laptop containing legal documents of four (4) clients of the firm was stolen from a staff member’s vehicle. The Organization reported “the laptop was password secured.”
P2022-ND-054

W.J. Stelmaschuk & Associates, Ltd.

On April 21, 2021, a staff member parked their vehicle at the visitor parking of the client’s apartment complex and went inside to collect the client for an outing. The staff member kept an office bag with the client’s medication administration sheet and communication book with client information in the vehicle (staff are required to take this information with them on outings because they need to deliver personalized services during the outing). The staff member …
P2022-ND-053

Electronic Arts, Inc.

On August 1, 2022, an internal active directory contact list with details of the Organization’s workers and business partners was posted on an underground hacking community channel within the messaging platform, Telegram. The information was then reposted on August 4, 2022, on a different channel on the Telegram platform. The Organization learned of these postings on August 11, 2022. The attacker obtained access to the credentials of a service account (i.e., an account provisioned for …
P2022-ND-052

Victoria’s Secret Stores Brand Management

Between June 5, 2021 and June 6, 2021, the Organization learned that an unauthorized party gained access to personal information in certain online accounts. The Organization determined that the unauthorized access to the online accounts was caused by a credential stuffing bot attack. The Organization reported that the incident did not arise based on a breach of its security safeguards. It reported that the incident involved the apparent reuse of credentials (usernames and passwords) that …
P2022-ND-051

Enviros Wilderness School Association

Multiple assessments and reports are pulled together to develop a final “written report” from the Organization’s Neurodevelopmental Assessment and Diagnostic Centre. On July 5, 2021, an employee with the Organization pulled together the report for Patient K and accidently included the medical report for Patient E. An employee with the Organization’s Intervention Services who was supporting Patient K ‘s family (and who was also included in the email) contacted the clinic to notify them that …
P2022-ND-050

Grant Thornton, LLC

On June 5, 2020, an employee’s email account was accessed by an unauthorized individual. The unauthorized individual then sent phishing emails from the account to others at the Organization. The Organization secured the affected account, and immediately commenced an investigation with the assistance of third-party cybersecurity experts. The Organization reported that no other employee accounts were affected. No other parts of the Organization’s system or business were affected by the incident.
P2022-ND-049

Axis Mortgage Inc.

In the early part of 2020, the affected individuals approached the Organization to assist them in obtaining a mortgage. The affected individuals did not ultimately require mortgage assistance. The Organization closed the file and copies of the information provided by the affected individuals was deleted. Due to an error, a copy of the affected individuals’ information was saved in a separate storage area of the Organization’s computer system under a different client name. On September …
P2022-ND-048

Norwich University

The Organization is a post-secondary educational institute in Vermont, United States of Amercia. Blackbaud Inc. (Blackbaud) provided cloud-based data management services to the Organization. On July 16, 2020, Norwich was notified by Blackbaud that it had discovered and stopped a ransomware attack that occurred in May 2020. Blackbaud experienced a ransomware attack that occurred between February 7, 2020 and May 20, 2020. Blackbaud systems affected by the attack included a database containing certain data related …
P2022-ND-047

Arrow Truck Sales, Inc.

Personnel reported being unable to access the servers and that login credentials had been changed. The Organization determined that on or about November 16, 2020, an unauthorized third party gained access to its network and subsequently acquired some of its internal company information from a server before installing a ransomware program. The unauthorized party posted certain of the Organization’s information on a publicly accessible website. The Organization learned that certain of its customers’ personal information …
P2022-ND-046

L Brands, Inc.

SafetyCall provides adverse event reporting services related to consumer products for the Organization. SafetyCall uses a sub-processor, NetGain, for data hosting services. On November 24, 2020, SafetyCall first became aware of a potential security issue, which culminated in the launch of ransomware on December 3, 2020. On December 14, 2020, SafetyCall informed the Organization that NetGain experienced a potential security incident and started investigating the incident. On January 25, 2021, NetGain informed SafetyCall that the …
P2022-ND-045

Alberta School Employee Benefit Plan

On April 5, 2021, an unauthorized user with an IP address in Nigeria, gained access to an employee’s email account. The unauthorized user accessed the account multiple times between April 5, 2021 and April 8, 2021. On April 8, 2021, the unauthorized user attempted to initiate a fraudulent wire transfer by using the compromised e-mail address to authorize the wire transfer of an account the Organization believes is controlled by the unauthorized user. Also on …
P2022-ND-043

Pomeroy Lodging LP

? On March 29, 2022, the Organization was alerted of a ransomware attack from one of its hotels. ? The hackers had access to the Organization?s servers that included payroll information for current and past staff. ? The Organization?s property management system and the credit card portals for client facing guests were not affected.
P2022-ND-042

Tyler J. Arnold Professional Corporation

On November 18, 2021, a staff’s email was hacked. The Organization’s IT support advised that either the hacker was able to decipher the staff’s email login and password or staff member clicked on a malicious email link. The hacker sent approximately 250 emails with a virus link to contacts from the staff’s account. Some of the contacts called the Organization to report the fraudulent email they received.
P2022-ND-041

Performive, Inc

? On or about June 14, 2021, the Organization identified unusual user activity on its network. ? The Organization determined an unauthorized third party was able to access a portion of its network using a compromised SSH key. ? The Organization disabled the compromised SSH key. ? The Organization reported that the unauthorized activity occurred between June 3, 2021 and June 12, 2021. ? Initially, the Organization believed only encrypted personal information had been accessed. …
P2022-ND-040

Spreadshirt, Inc

? Early in July 2021, the Organization discovered evidence of unauthorized access to employee computers. ? The Organization concluded that a criminal deliberately targeted its network in an attempted ransomware attack. ? The attacker did not succeed in encrypting the Organization?s systems, however, the Organization believes that the attacker was able to access and copy data from its internal networks. ? The attacker used a keylogger to acquire employee login credentials and certificates. ? In …
P2022-ND-039

The Stevens Company Limited

On April 10, 2021, the Organization discovered that it was the victim of a cybersecurity attack by an unauthorized third party. The malicious actor deployed ransomware to encrypt the Organization?s technology infrastructure and to exfiltrate data.
P2022-ND-038

Martin Energy Group Services, LLC

? On January 25, 2021, the Organization discovered that it had been subject a phishing event and business email compromise. ? The Organization forensics team have been unable to confirm or rule out specific access to individual emails and therefore treated the entirety of the mailboxes as accessed by the unknown third-party actor. ? The Organization?s investigation was able to establish that the period of unauthorized access spanned from January 19, 2021 to February 3, …
P2022-ND-037

Bow Valley Credit Union Ltd.

On August 6, 2021, a Requirement to Pay (RTP) notice from the CRA was sent to a wrong email address in error. The RTP was sent to an email address of a service provider instead of internally within the Organization. The incident was discovered on October 8, 2021, when the CRA contacted a branch of the Organization asking about the RTP.
P2022-ND-035

K2 Corrosion Fasteners Incorporated

? On October 15, 2021, the Organization discovered they were victim to a ransomware attack. ? The Organization did not determine how the threat actor compromised their network. ? An investigation did not rule out the possibility that data was accessed or exfiltrated.
P2022-ND-034

InvestX Financial (Canada) Ltd.

? On September 24, 2021, the Organization was victim to a ransomware attack. ? An investigation determined that a threat actor obtained system administrator credentials and exploited ?corporate firewalls to access Amazon AWS hosting infrastructures.? ? The Organization did not rule out the possibility that personal information was exfiltrated.
P2022-ND-033

Willow Park Wines Spirits

? On September 28, 2021, the Organization was victim to ransomware. The incident was discovered the following morning when employees were unable to access files. ? An investigation determined that a ?remote worker’s laptop was compromised resulting in a compromised connection to the worker?s onsite computer and the organization?s network. The intruder was able to use access to that computer system to access a shared drive and to deploy the ransomware.? ? It is not …
P2022-ND-032

Rifco National Auto Finance

? On May 8, 2021, an agent with the Organization received a phone call. ? The caller stated he was told his information was contained in a loan file in case the Organization could not reach the main applicant. ? The Organization sent a copy of the loan documentation to the caller as a result of the conversation. ? The Organization subsequently discovered the caller was not listed on the loan agreement. ? The Organization …
P2022-ND-031

Envision Pharma Group

? On or about January 26, 2021, the Organization experienced a ransomware incident. ? An unauthorized third party gained remote access to certain of its internal computer networks. ? The Organization determined that the unauthorized third party acquired some non-public data from its networks. ? The Organization reported that the earliest known date of unauthorized third-party activity was on January 19, 2021. There has been no observed malicious activity since January 26, 2021.
P2022-ND-030

Parkmobile, LLC

? On or about March 8, 2021, the Organization became aware of a cybersecurity incident. The incident is linked to a vulnerability in a third-party software. ? On March 15, 2021, the breach was discovered when the Organization received an email from the unauthorized person who attacked the network. ? The vulnerability allowed the unauthorized person access to a database table.
P2022-ND-029

Financi?re des Professionnels

? On April 6, 2021, intrusion alerts were triggered by the remote monitoring system. ? As a result, the Organization became aware of a ransomware-type intrusion directed towards some of its servers. ? The Organization immediately blocked access to its servers, limiting the scope of the intrusion. ? On April 13, 2021, the Organization discovered that certain personal information may have been exfiltrated. ? The Organization reported, ?All internal systems remain operational and there has …
P2022-ND-028

Arthur J. Gallagher Canada

? On 26 September 2020, the Organization detected a ransomware event effecting its internal systems. ? The Organization?s investigation determined that an unauthorized party accessed or acquired data contained within certain segments of its network between June 3, 2020 and September 26, 2020. ? The Organization was able to confirm that certain systems were accessed but it was unable to confirm what information within those systems was, in fact, accessed. ? The Organization has no …
P2022-ND-027

Medicine Hat Family Young Men?s Christian Association

? An employee with the Organization sent an email to 10 of its members without blind carbon copying all recipients. ? The Organization reviewed the email contents and reported that the content of the email itself did not contain any personal or confidential information. The email was a generic email asking recipients to log into their member portals to update payment information. ? An email recipient notified the Organization of the error.
P2022-ND-026

Witten LLP

? On March 23, 2021, an employee with the Organization was working remotely and had taken files home for reporting. ? The employee?s vehicle was broken into. The employee subsequently learned that client files/documents were stolen from the vehicle.
P2022-ND-025

Grandin After School Care

? On May 5, 2021, the Organization suspected that it experienced a break-in. ? A staff member with the Organization discovered a room?s Emergency Back Pack, which includes family contact cards, was missing and the room?s window was left open. ? The Organization reported that the backpack was not recovered.
P2022-ND-024

Financi?re des Professionnels

? On February 11, 2021, the Organization became aware of a business email compromise. ? Two (2) employees of the Organization alerted it that some of their contacts had received a phishing email. ? Eight (8) Microsoft Office 365 accounts were found to have been compromised. Phishing emails were sent from an Organization corporate email address to some of its clients. ? The Organization reported there was no indication that its servers had been accessed. …
P2022-ND-023

Edmonton Meals on Wheels

? On January 7, 2021, the Organization discovered that an external backup drive was missing from the server room of its head office in Edmonton, AB. ? The drive was one of several used to record daily backups of the Organization?s primary data server. ? The data server from which the backup drive was taken is located in a server room, which requires a keycode to access. ? The Organization discovered the encryption function on …
P2022-ND-022

Wycliffe Bible Translators of Canada

? On January 7, 2021, a donor report with personal information was accidentally sent to an incorrect email address belonging to an unknown user due to a clerical error. ? The Organization attempted to contact the unintended recipient?s email address, notifying them of the error, and asking them to delete the January 7, 2021 email, which was sent in error. The Organization has not received a response from the unintended recipient.
P2022-ND-021

Nissan Canada Finance

? On or about February 4, 2021, a perpetrator unlawfully accessed an Amazon Web Services (AWS) server on three separate instances using two different IP addresses. ? The perpetrator exploited a vulnerability on one of Organization?s AWS servers and, upon searching the compromised server, was able to obtain a single salesforce system ID. ? This ID was of limited scope and the perpetrator used it access the recent ?activity view? of interactions of that specific …
P2022-ND-020

Minnetonka Moccasin Company

? On December 29, 2020, the Organization discovered malicious code that was inserted in its e-commerce website. ? The Organization reported, if working as designed, the malicious code had the capability to capture payment card information. ? The Organization determined that payment card information might have been exposed for customers who made purchases through minnetonkamoccasin.com between November 25, 2020 and December 25, 2020.
P2022-ND-019

Forest City Trade Group, LLC

? On June 24, 2021, the Organization discovered anomalous security activity when a computer administrator’s remote desktop session was interrupted. ? The Organization determined it was the victim of a ransomware attack. Files and systems were encrypted. The attack began on June 21, 2021.
P2022-ND-018

Mercedes-AMG GMBH

? On June 21, 2021, the Organization was made aware that personal data files relating to users of its ‘Private Lounge’ service was being offered for sale on a web forum. ? The Private Lounge is an internet community platform established and provided by the Organization for owners of Mercedes-AMG vehicles, who could register to join the Private Lounge via an online registration process.. ? An external security researcher reported the sale of the data. …
P2022-ND-017

Carey Management Inc.

On May 9, 2021, the Organization became aware that it was the subject of a cybersecurity incident, which resulted in the unauthorized access of some personal information of current and former employees of Spruce It Up Garden Center Inc. The perpetrators of the cybersecurity incident used malicious software to circumvent security safeguards and were able to obtain unauthorized access to the Organization’s systems. The Organization engaged their third-party security operations center to help rapidly investigate …
P2022-ND-016

Novo Nordisk Canada Inc.

The Organization contracts with Limeade, a third party service provider, to offer the NovoHealth platform to employees. The platform allows employees to track activities to earn rewards in the form of gift cards. In late September 2020, Limeade discovered a third party used automated means to guess usernames and passwords to gain unauthorized access to end users’ accounts. Limeade made product changes and the suspicious activity subsided. In November 2020, Limeade became aware of some …
P2022-ND-015

Debra Jackson, Registered Psychologist

On March 4 or 5, 2021, an employee responded to a phishing email that purported to be from Microsoft. On March 8, 2021, the employee?s email account was hijacked and the employee?s contacts were sent emails requesting they purchase gift cards. The Organization was notified by the employee’s contacts that they were receiving strange emails from the employee about gift cards.
P2022-ND-014

Dynamic Insight Corp

On March 1, 2021, the Organization learned that an unauthorized individual accessed an employee email account. Certain email contacts of the employee received phishing emails thereafter. The account may have been accessed as a result of a phishing email. The Organization reported that no claim files were affected.
P2022-ND-013

Connor, Clark & Lunn Private Capital Ltd.

On March 29, 2021, an email record search for a former client was sent to a wrong email address. On April 7, 2021, the Organization?s security team discovered the incident as part of their monitoring processes. They have confirmed no other emails have been sent to this email address.
P2022-ND-012

Defender Industries, Inc.

On April 15, 2021, Defender became aware of malware on its e-commerce platform. Defender submitted the breach occurred on November 22, 2020. Defender took immediate steps to remove the malware and notified its merchant processor as well as Visa, Mastercard, and American Express. On April 23, 2021, it was determined that this incident might involve personal information of certain Defender customers.
P2022-ND-011

AMA Agencies Ltd. o/a AMA Insurance Agency

On April 2, 2021, two employees with the Organization were subject of a phishing attack. The employees received an email from a threat actor impersonating one of the Organization?s vendors, Premier Marine (Premier Group). The email was sent by (staff name)@PrennierGroup.com (the correct domain name of the vendor is premiergroup.com). The staff at Premier Group is a regular contact at Premier Group that handles issues related to account payment discrepancies. The email requested the Organization …
P2022-ND-010

Raymond James Ltd.

On March 24, 2021, an unknown adversary gained access to the Organization?s Employer Portal on the Indeed.com (Indeed) job-posting platform. Indeed was notified immediately. Access to the Organization?s Employer Account was frozen by Indeed. Password changes were implemented by the Organization. The adversary had access to the Organization?s Employer Portal for approximately 2 hours and 15 minutes on March 24, 2021. During that period of compromise, the adversary sent out the first batch of phishing …
P2022-ND-008

Medical Pharmacies Group Limited

On May 22, 2021, the Organization was victim to a ransomware attack. The incident was discovered the same day by the Organization?s IT personnel. An investigation determined that the attacker my have gained access to personal information of current and former employees. The Organization did not report how the attacker compromised and gained access to their network.
P2022-ND-007

Plains Midstream Canada ULC

The Organization uses a third party service provider (Dynamic Insight Corp. or ?Dynamic?) that assists the Organization with short term disability claim management. Dynamic receives the Organization?s employee claim information in order to assist with the provision of this service. On June 22, 2021, Dynamic notified the Organization that a Dynamic?s employee email account was accessed by an unauthorized individual on or about March 1, 2021. Dynamic was unable to determine the cause of the …
P2022-ND-006

Enhance Energy Inc.

On February 16, 2021, unauthorized users logged into the corporate email accounts of five of the Organization?s employees. A total of 32 suspicious logins were identified between February 16, 2021 and April 9, 2021. On April 9, 2021, a failed attempt at wire fraud was discovered when a supplier of Enhance Energy inquired about a payment.
P2022-ND-005

Guess?, Inc.

The Organization recently completed an investigation regarding a cybersecurity incident designed to encrypt files and disrupt business operations. The Organization?s investigation determined that there was unauthorized access to certain of its systems between February 2, 2021 and February 23, 2021. On May 26, 2021, the investigation determined that personal information related to certain individuals might have been accessed or acquired by an unauthorized actor. The Organization said additional work was required to identify addresses for …
P2022-ND-003

Arabian Horse Association

On February 20, 2021, the Organization discovered that it was a victim of a cybersecurity incident. An unauthorized third party may have accessed the Organization?s accounting server. The Organization began measures to restore its operations. However, on March 31, 2021, the Organization experienced a second cybersecurity incident. On April 23, 2021, the Organization determined that an unauthorized third party accessed personal information of certain members and prizewinners on February 20, 2021 and/or March 31, 2021.
P2022-ND-002

Co-operators Group Ltd.

One of the Organization?s insurance claims vendors suffered a malicious attack. On March 14, 2021, a rogue actor compromised the email account of an employee of the vendor. Seven separate connections were made to the email account on this date. The exact duration of those connections is unclear at this time. The rogue actor had the ability to access the email account, but it is unclear to the Organization what was accessed inside the email …
P2022-ND-001

Herff Jones LLC

On April 7, 2021, the Organization became aware of suspicious activity involving certain customers? payment card information. In late May, the Organization determined that certain customer personal information was subject to unauthorized access. The Organization reported that forensic evidence shows activity related to unauthorized access to and exfiltration of payment card information occurred during the period of January 11 to April 19, 2021.
P2021-ND-345

Yahoo! Inc.

On August 1, 2016, media reported a hacker?s assertion that the Organization?s data had been obtained. The Organization investigated and found evidence suggesting that a copy of certain user account information may have been transferred from the company?s network in November 2014. On September 22, 2016, the Organization announced that a copy of certain user account information had been stolen by what the Organization ?continues to believe is a state-sponsored actor?. In a later submission, …
P2021-ND-344

Darren K. Queck Professional Corporation O/A Queck & Associates

On September 25, 2020, the Organization inadvertently emailed the personal information at issue to an unintended recipient due to an error in the email address. The breach was discovered on October 30, 2020.
P2021-ND-343

Advanced Upstream Ltd.

On April 9, 2019, the Organization?s legal counsel sent a letter to a third party organization advising that the affected individual owed certain contractual confidentiality and non-competition obligations to the Organization by virtue of his prior employment. A similar letter was sent to the affected individual to remind him of the confidentiality and noncompetition obligations that he owed to the Organization. The affected individual advised the Organization that the disclosure of his employment agreement was …
P2021-ND-342

Rowland, Parker & Associates LLP

On April 2, 2021, the Organization found it was unable to log into workplace servers. The Organization engaged its IT service provider who determined that threat actors accessed the network and client personal information without authorization. Shortly after discovery, the threat actors contacted the Organization and confirmed the breach. Based on the Organization?s investigation, it is believed that a phishing campaign lead to the attack involving ransomware. It is also reported that the threat actors …
P2021-ND-341

Metal-Fab Industries Ltd.

On January 2, 2021, the Organization discovered that it was the victim of a cyber-attack that encrypted its IT environment. The breach was discovered the same day during regular on-site maintenance. The Organization reported that the threat actor?s main interest was a ransom payment.
P2021-ND-340

Olymel LP

The Organization is a subsidiary of the ?Sollio Cooperative Group? (Sollio). On November 7, 2020, Sollio suffered a ransomware attack. Sollio?s analysis of the incident determined that the threat actor first gained access to its systems on November 2, 2020. On December 4, 2020, Sollio notified the Organization that personal information about its employees may have been impacted. This was confirmed on May 12, 2021. It is reported that the threat actor published the exfiltrated …
P2021-ND-339

Canpar Express Inc.

On August 19, 2020, the Organization discovered that it was victim to ransomware. The attack began on or about August 13, 2020 when a server was infected with malware. Several strains of malware, use of offensive tools (Cobalt Strike), and lateral movement of the attacker(s) to other systems were reported. On September 14, 2020, the Organization discovered that exfiltrated records were leaked on the Dark Web. It is not known how the attackers initially compromised …
P2021-ND-338

Pureform Diagnostic Imaging Clinics Inc.

On March 20, 2021, the Organization was subject to a ransomware attack (Sodinokibi). The breach was discovered on the same day when employees noticed they were unable to access information on affected systems; a ransom note was also found. The Organization reported that the threat actor gained access to the Organization?s network via a brute-force attack against an employee user account. The threat actor subsequently uploaded the malicious payload and exfiltrated records.
P2021-ND-337

EBM Geoscience Inc.

The Organization was the victim of a business email compromise. The incident was discovered on or about May 19, 2021, when the Organization?s bank representatives inquired about email address changes and a wire transfer authorization request. An investigation determined that two organizational email accounts were compromised as early as May 15, 2021, and were used to initiate fraudulent wire transfers. The Organization did not report how the email accounts were compromised.
P2021-ND-336

ULS Maintenance & Landscaping Inc. and Urban Life Solutions Inc.

The Organization uses a third party service provider, Dayforce. On or about May 27, 2021, a human resources employee was speaking to a former employee who, prior to their termination, worked in payroll administration for the Organization. During that conversation, the former employee made remarks suggesting they had (unauthorized) access to the Organization?s payroll information. The matter was escalated for investigation. In conjunction with Dayforce, the Organization determined ?that a Super Admin role had been …
P2021-ND-335

AIG Insurance Company of Canada

On or about September 26, 2020, the Organization was notified by one of its third party claims processors – Arthur J. Gallagher / Gallagher Bassett (collectively, Gallagher) – that Gallagher was the subject of a ransomware attack. ?[An] unknown individual accessed or acquired data? from Gallagher?s network between June 3 and September 26, 2020. Initially, the third party reported that data under the control of the Organization was not impacted in the incident. However, ?Upon …
P2021-ND-334

Mawer Investment Management Ltd.

On July 9, 2021, an unauthorized actor circumvented multi-factor authentication safeguards and gained access to an employee email account. An investigation determined that the unauthorized access lasted approximately one hour; during the incident, the unauthorized actor conducted searches about financial transactions, browsed email messages, and may have exfiltrated a mailing list.
P2021-ND-333

Audi Canada Inc., and Volkswagen Group Canada Inc.

On March 10, 2021, the Organization was notified that data relating to its customers was in the custody of an unauthorized third party. An investigation determined that ?at some point between August 2019 and May 2021,? one of the Organization?s vendors inadvertently set ?cloud containers containing [the Organization?s] data to open permissions?. The Organization believes ?the threat actor intentionally took the data at issue?.
P2021-ND-332

Americold Realty Trust

On November 15, 2020, the Organization was subject to a ransomware attack. The attack was discovered on the following day, November 16, 2020. An investigation determined that the attacker had access to the Organization?s systems as early as October 29, 2020. In a December 17, 2021 update, the Organization explained that the attacker gained access to the environment by ?[exploiting] a vulnerability in a server? and also confirmed that ?Certain records were exfiltrated in connection …
P2021-ND-331

Mother Parker?s Tea & Coffee Inc.

On February 28, 2021, the Organization was the subject of a ransomware attack. The Organization?s IT department discovered the incident that day ?when the encryptor was executed across systems.? An investigation determined that the initial compromise likely occurred in early February and may have been related to a phishing / spear-phishing campaign. The Organization could not rule out the possibility that data was exfiltrated during the attack.
P2021-ND-330

Soroc Technology Inc.

On May 7, 2021, the Organization was the subject of a ransomware attack. The incident was discovered when a ransom note was received on the same day. An investigation determined that the unauthorized third party may have exfiltrated data. The Organization did not indicate how its environment was breached by the attacker.
P2021-ND-329

Connect First Credit Union Ltd.

On August 6, 2021, a member of the credit union unintentionally logged into another member?s account. The Organization explained that ?The impacted member did not change [their] default password, which was originally the same as the username? The [other] member coincidentally used the same username and password when accessing [their] own online account.? The incident was discovered the same day when the member contacted the bank and reported that they were ?viewing the account profile …
P2021-ND-328

Home Financing Solutions Inc.

The Organization uses a mortgage application and processing system, Velocity, from the vendor Newton. Between August 14 and 31, 2021, an unauthorized actor gained access to Velocity. They accessed former clients? mortgage applications and were able to obtain copies of applicants? credit reports. The Organization became ?fully aware? ?of a security breach? on or about September 2, 2021, when an affected individual was alerted to an enquiry on their Equifax account; the individual notified the …
P2021-ND-327

Nick Milkovich Architects Inc.

On April 6, 2021, the Organization was subject to a ransomware attack. The incident was discovered on the same day when an employee found they were unable to access their computer. The Organization did not report how the malicious actor gained unauthorized access to conduct the attack.
P2021-ND-326

The King?s University

On March 16, 2021, a member of the Organization?s IT Department attended the Counselling Services office to fix a malfunctioning printer. Seven documents in the printing queue were accidentally sent to the public access printer. The breach was discovered on March 19, 2021, when a student discovered the documents on a public access printer and turned them in to the Registrar?s Office.
P2021-ND-325

International Union of Bricklayers and Allied Craftworkers

On June 29, 2020, the Organization discovered suspicious activity relating to a number of employee email accounts. An investigation determined that the accounts were subject to unauthorized access between June 4, 2020 and July 10, 2020, but could not rule out access to any emails or attachments within the accounts. The Organization reviewed the email accounts to determine whether they contained any sensitive information and to whom the information relates. The Organization reported, ?To date, …
P2021-ND-324

iHerb Inc.

The Organization experienced a breach that resulted in compromised user accounts. The Organization?s notice to affected individuals said that ??beginning in mid-October 2020, an unauthorized party used the login credentials (i.e., email and password) of certain of our customers to access their ? accounts. Based on our investigation, the compromised credentials appear to have been taken from third parties independent of [the Organization] and were not obtained as a result of a compromise of our …
P2021-ND-323

Aerium Analytics Inc. & Aerium SPV Inc.

Between April 13 – 21, 2021, one of the Organization?s email accounts was regularly accessed by an unauthorized party, using the correct password. The Organization reported it does not know how the credentials were obtained. The account was used to send an unauthorized email on April 13, 2021 requesting payment of an invoice; the breach was discovered when the email recipient contacted the Organization to verify the request. The Organization reported that the ?unauthorized user …
P2021-ND-322

AmeriCommerce by Cart.com

On March 29, 2021, the Organization identified a security incident involving unauthorized use of the file upload feature of its application to add code to the checkout page of some of its merchant customers. The code was added to the sites involved at different times starting on March 25, 2021. The Organization removed the code from all sites on March 29, 2021. Transactions using a stored payment card and transactions entered directly by the merchant …
P2021-ND-321

Elliott Company

On March 29, 2021, a threat intelligence vendor notified the Organization about a potential data compromise resulting from a malware attack on the Organization?s computer systems in Sparks, Nevada. The Organization investigated to determine the nature and extent of the incident and what data had been compromised. The Organization believes (but has not been able to confirm) that the security of some archived human resources was compromised. The Organization reported the breach occurred on February …
P2021-ND-320

Entreprise Robert Thibert Inc.

On January 25, 2021, the Organization discovered that an unauthorized party gained access to a directory that contained employee personal information. The Organization reported, ?This directory does not contain any structured files of personal information, which significantly reduces the risk of malicious use.? The Organization discovered the incident on January 25, 2021 when it noticed that some of its computer systems were encrypted and no longer accessible.
P2021-ND-319

Operation Eyesight Universal

On October 15, 2020, the Organization?s former third-party service provider, Blackbaud, advised that it had been subject to a ransomware attack in May 2020. As part of that incident, data was exfiltrated from Blackbaud?s systems. The Organization had previously engaged with Blackbaud as a service provider to process donations and store and manage donor, volunteer and supporter information, but had changed suppliers prior to this incident. Unfortunately, Blackbaud did not delete the Organization?s information and …
P2021-ND-318

Rightway Immigration and Education Services

On January 17, 2020, The Organization discovered suspicious activities in its email accounts. The Organization determined that threat actors accessed two mailboxes frequently, between September 17, 2019 and January 17, 2020. A third mailbox was accessed twice, on September 21 and 23, 2019. The Organization?s investigation also found that four links had been created for document transfers from the account. The Organization reported, ?evidence was not available to identify which emails were accessed? or ?which …
P2021-ND-317

Gay Lea Foods Co-Operative Limited

On December 27, 2020, the Organization?s core IT infrastructure (“systems”) were encrypted with ransomware. The Organization received a ransom note that indicated the data, including personal information, had been accessed and extracted by the threat actor and that, absent payment, sensitive data would be released. The Organization investigated and determined the cause of the incident was a phishing attack. An employee opened a phishing email, which contained a malicious document. The Organization reported, ?there is …
P2021-ND-316

Stampin? Up!

On April 14, 2021, the Organization discovered that its ecommerce website, www.paperpumpkin.com, was modified with malicious code, which captured payment card data as it was entered on the website in connection with a purchase. The Organization investigated and determined that the payment card information that may have been accessed was related to transactions made between June 12, 2020 and November 17, 2020. A limited number of customers reported fraudulent charges on their credit cards.
P2021-ND-315

Koelnmesse

On February 23, 2021, the Organization became aware of a possible data security incident involving its computer network. The Organization determined that an unauthorized individual accessed an employee?s email account from January 26, 2021 to February 23, 2021. The Organization retained a third-party vendor to review the impacted information. The review was completed on May 7, 2021 and determined that the personal information of one (1) Alberta resident might be impacted. The Organization reported that …
P2021-ND-314

Convoy of Hope

In May 2020, the Organization?s cloud-based software and data hosting solutions provider, Blackbaud, discovered that it was the target of a ransomware attack. Threat actors managed to remove a subset of data from Blackbaud’s self-hosted environment, which included data being processed by Blackbaud for the Organization. On or around July 16, 2020, the Organization received a notification from Blackbaud informing it of the incident affecting the data of some of the Organization?s members. On October …
P2021-ND-313

Alberta Beef Producers

The Organization was the subject of a cyber security breach, which began on June 27, 2021 and ended on June 28, 2021. The attacker targeted the Organization?s online payment system and gained unauthorized access using stolen credentials of an employee of the Organization. The attacker was unsuccessful in attempts to make fraudulent payments; however, personal information for some of the Organization?s vendors could have been exposed. The Organization reported, ?the attackers plan was to alter …
P2021-ND-312

Letko, Brosseau & Associates Inc.

On May 2, 2021, the Organization discovered it was the target of a ransomware attack by an external individual, resulting in most of its production systems being encrypted. The Organization reported that it took all measures to block the unauthorized access, contain the incident and prevent a recurrence were implemented immediately. The Organization?s investigation revealed the REvil ransomware group perpetrated the attack and work files were exfiltrated.
P2021-ND-311

ABC Head Start Society

Between May 26, 2021 and May 29, 2021, an intruder gained access to an employee?s Microsoft Office 365 account. The Organization later learned the employee had opened email attachments sent by a ransomware email. On May 29, 2021, a request was received from the employee?s compromised account for access to the Organization?s Finance SharePoint site. A manager followed up with the employee, who confirmed they had not requested access. On the same day, Microsoft sent …
P2021-ND-310

Tara Cassidy Professional Corporation

On January 5, 2021, the Organization discovered unauthorized access to its computer systems in the form of a ransomware attack. An investigation determined that the threat actor opened/viewed seven (7) documents on the Organization?s systems, but these documents did not contain any personally identifiable information. The investigation also determined that the threat actor obtained domain administrator credentials and employed a number of “anti-forensic” measures such as deleting event logs. The Organization reported it is possible …
P2021-ND-309

USA Waste-Management Resources, LLC

The Organization stores certain information for its Canadian affiliates on its servers. On January 21, 2021, the Organization?s security controls reported suspicious activity on this network. The Organization investigated, and determined that an unauthorized actor entered the Organization?s environment between January 21 and 23, 2021, accessed certain files, and took a limited number of files. On May 4, 2021, the Organization determined that the potentially compromised files contained the personal information of certain individuals. However, …
P2021-ND-308

AVENIR GLOBAL Inc.

On December 29, 2020, the Organization was informed that it was the target of a ransomware attack, which affected its systems in a number of jurisdictions. Some information shared with the Organization or one of its subsidiaries was consequently compromised. The Organization?s investigation suggests the breach likely resulted from a phishing email. The Organization does not have any information to suggest that the accessed information has been misused. The Organization reported, ?to the contrary, we …
P2021-ND-307

Centaur Products Inc.

On December 21 and 22, 2020, malicious actor(s) accessed an employee email account and used it to create a fictitious account and post a job for a receptionist on an employment recruitment site. The breach was discovered when an acquaintance of a staff member inquired about the job posting. On December 22, 2020, the Organization determined that it was not a valid job posting. On December 22, 2020, the malicious actor(s) also sent emails from …
P2021-ND-306

Avenue Living Asset Management Ltd.

On November 26, 2020, an employee with the Organization unknowingly clicked on a phishing link sent to her by email, which in turn allowed an unauthorized actor to gain access to the employee’s email account and subsequently send a phishing link to the employee’s contacts via email. The breach was discovered the same day after multiple emails were sent from the employee?s account, and various replies were received. The Organization reviewed all emails and determined …
P2021-ND-305

United Active Living Inc.

On October 28, 2020, an employee of the Organization was delivering monthly rental statements to resident suites during the night shift. The statements were to be left on the shelf at the suite door. However, statements were delivered to the wrong suites. The breach was discovered the same day when a resident reported receiving the wrong envelope. He did not open it.
P2021-ND-304

ARCH Psychological Services

On November 12, 2020, the Organization sent an invoice by email which contained a client?s name and address to another client in error (unintended recipient). The breach was discovered on November 16, 2020 when the unintended recipient informed the Organization that she received an invoice for someone other than herself. The Organization requested that the unintended recipient delete the information received in error.
P2021-ND-303

TaskRabbit, Inc.

On December 7, 2020, the Organization experienced a spike in unusual traffic in the login endpoints for the Organization?s client and tasker mobile applications. The Organization determined that its website and mobile application had been subject to a credential stuffing attack on certain user accounts between December 7 – 14, 2020. The Organization reported it believes the credentials were obtained from a third-party site or app where users used the same password.
P2021-ND-302

1219146 Alberta Ltd.

Between March 27, 2020 and March 28, 2020, the Organization?s office was broken into and the Organization?s safe was stolen and subsequently compromised. The safe contained unencrypted external hard drives used to back-up data from individually assigned computers.
P2021-ND-301

Backroads Canada Corporation

On October 2, 2020, the Organization?s parent company discovered certain portions of its network and workstations were impacted by a ransomware incident. On October 9, 2020, a forensic investigation discovered that human resources data was potentially exfiltrated. On or around October 16, 2020, it was confirmed that Canadian employee information was part of the exfiltrated data. The breach was discovered on October 16 through the use of early detection and response software, which detected abnormal …
P2021-ND-300

Premier Tech Limited

On January 25, 2021, the Organization discovered that it was the victim of a cybersecurity attack by an unauthorized third party. The malicious actor deployed ransomware to encrypt the Organization?s technology infrastructure and to exfiltrate data. On February 11, 2021, the Organization discovered that the unauthorized third party may have gained access to and may have exfiltrated the personal information of its team members and immediately undertook an additional investigation to determine the scope of …
P2021-ND-299

Sabre Instrument Services Ltd.

On December 16, 2020, as part of a ransomware attack, an unknown threat actor installed malware in the Organization?s system. The Organization determined that the malware harvested and copied usernames and passwords used by its employees to log into the Organization?s system. The malware would have automatically copied usernames and passwords that were in the system on December 16-17, 2020. The attacked was discovered on December 17, 2020. The Organization?s investigation determined that while the …
P2021-ND-298

Alberta Teachers? Association

On September 1, 2019, online applications for professional development scholarships and bursaries were inadvertently stored in a section of the Organization?s website that was accessible publicly. As a result, applicants? contact information was returned as part of search-engine results when specific searches were conducted for the contact information data fields forming part of the application form. The breach was discovered on April 5, 2021, when a member of the Organization searched for her own email …
P2021-ND-297

SLR Consulting Ltd.

On February 28, 2021, the Organization was alerted to a ransomware attack on its systems, which encrypted its file servers, and ERP system in Europe and Asia Pacific. The threat actor left a ransom note claiming that data was extracted from the Organization?s systems, and also threatened to publish data. The Organization received evidence that data from servers located in the UK and Australia was extracted. Systems in Canada remain unaffected and secure. The incident …
P2021-ND-296

HSBC Investment Funds Inc.

The Organization?s customer agreements require customers to keep their contact details up to date, including their mailing address. From time to time, mail sent by the Organization to customers at their address on file is returned to sender. On the basis that such customers have not updated their mailing address, the Organization will place a return mail flag on their accounts directing that mail not be sent to their address until such time as their …
P2021-ND-295

FPI Management

On August 14, 2020, the Organization learned that it experienced a data security incident that disrupted access to certain of its systems. An unauthorized third party gained access to certain of the Organization?s systems and personal information stored on these systems was accessed or acquired without authorization. On March 3, 2021, the Organization determined that personal information belonging to one Alberta resident may have been accessed or acquired without authorization.
P2021-ND-294

Nissan Canada Inc.

The Organization is an affiliate of Nissan North America, Inc. (?Nissan NA?); the latter provides administrative services, including information technology services, to the Organization, and also provides a suite of connected vehicle services known as Nissan ConnectServices (and for the INFINITI brand, known as INFINITI InTouch Services) that allows vehicle owners to access vehicle information, stay connected to their vehicle, and get assistance when they need it. On January 2, 2021, the Organization became aware …
P2021-ND-293

Stella-Jones Inc.

On April 13, 2021, an employee with the Organization received a phishing email and did not realize it was not from a trusted source. The employee provided their username and password as well as multi-factor authentication code. The hacker then logged into the employee?s email and address book for several hours.? The Organization reported, ?There is no log showing the hacker copied this information, however he had access to it.? The hacker sent emails posing …
P2021-ND-292

First Canadian Title Company Limited

The Organization reported an incident ?involving potential unauthorized access to personal information in [its] control?. On January 20, 2021, the affected individuals couriered documents to a representative of the Organization. The representative did not receive them. The package could not be located.
P2021-ND-291

Ross Taylor Financial Corporation

On January 18, 2021, the Organization became aware of a ransomware attack on its computer system by cyber criminals. The computer system was breached by criminals gaining access to the Organization?s internal network. On January 25, 2021, the Organization became aware that personal information had been taken and that the data stolen may be available online on the dark web.
P2021-ND-290

Omaze, Inc.

On October 8, 2020, the Organization was notified by the Federal Bureau of Investigation that it had potentially been subject to a cyber-attack, and a database of what was purported to be the Organization?s user data was available on a sharing and marketplace forum. The Organization reported that it appears the records were posted to the forum on July 19, 2020. The Organization identified that the posted database contained two datasets of purported user information, …
P2021-ND-289

Silverberg & Associates Inc.

On October 4, 2017, an employee of the Organization noticed that a suspicious email seemed to have originated from his email account. The employee opened his email account from his desktop and noticed that someone else seemed to have control of his computer. The perpetrator deleted some of the employee?s contacts, and sent and deleted folders, and also sent a phishing email to the employee?s contacts. The email account was secured on October 4, 2017. …
P2021-ND-288

News America

Between September 27 and October 4, 2018, an unauthorized third party attempted to gain access to Checkout 51 accounts via the Checkout 51 login application program interface (API). The incident arose out of an apparent reuse of usernames and passwords. The third party may have attempted to gain access to the Checkout 51 accounts of users who use the same username and password on multiple websites. When a new device or web browser successfully accesses …
P2021-ND-287

Mobile Service Center Canada Limited operating under the registered trade name ?Mobile Klinik?

The Complainant took his cell phone into the Organization on September 7, 2019, for repair. The Complainant returned to the Organization the same day to pick up the phone. When the Complainant turned the phone on, photos and other information about another individual (the affected individual) were being downloaded onto the Complainant?s phone. The Complainant surmised that the micro SD card from the affected individual?s phone had been placed in the Complainant?s phone by the …
P2021-ND-286

The Portage la Prairie Mutual Insurance Company

On December 6 and 7, 2018, the Organization learned two of its employee email accounts were accessed by an unauthorized individual and used to send a number of phishing messages. The cause of the incident was determined to be phishing emails that had been sent to the two employees.
P2021-ND-285

Sunshine Village Corp.

Two individuals were involved in an on-mountain snowboarding collision in December 2018. In April 2019, one party involved in the collision contacted the Organization to request contact information of the other party. The Organization provided the information, mistakenly believing it had consent to disclose the information. The breach was discovered when the subject of the information contacted the Organization to inquire how the other party had obtained access to his contact information.
P2021-ND-284

Homewood Health Inc.

The Organization was the subject of a cyber-attack which resulted in the exfiltration and publication of client personal information on the data marketplace ?Marketo.? The Organization?s investigation determined that the attack on the network began on or about March 9, 2021, when an unknown device accessed the server(s) and exfiltrated records. It is believed the threat actor obtained credentials via phishing, then used offensive tools (Cobalt Strike) to propagate the attack. The attacker also attempted …
P2021-ND-283

RBC Life Insurance

The Organization uses third party service providers to ?assist ? in the adjudication of ? insurance claims.? On March 17, 2021, the Organization received a suspicious email from one of its third party suppliers. The suspicious email was reported to the third party on March 19, 2021. The third party investigated and determined that an employee email account was compromised on or about March 14, 2021. The affected email account contained personal information of the …
P2021-ND-282

8159181 Canada Inc. d/b/a Canadian Bitcoins

Between October 9 and 11, 2021, a database under the control of the Organization was accessed without authorization. The Organization reported that it ?…initially became aware of unusual activity on its website on October 11, 2021, when its system automatically generated an error email.? At that time, the Organization disabled its website, investigated, and quarantined suspicious files. On October 21, 2021, the Organization ?received an email from an anonymous perpetrator alleging that he/she had downloaded …
P2021-ND-281

Travel Healthcare Insurance Solutions Inc. o/a guard.me International Insurance

On or about June 19, 2021, the Organization was subject to an SQL injection attack. The attacker compromised two SQL databases; records were deleted and a ransom note was inserted.
P2021-ND-280

Servus Credit Union Ltd.

On January 20, 2021, the Organization?s Internal Audit department identified numerous instances where four employees of the organization had accessed account information of other employees and members without an authorized purpose. The accesses were discovered during a review into system access conducted in January. The Organization reported the unauthorized accesses occurred between November 2020 and February 2021.
P2021-ND-279

Airbnb Ireland UC

On September 24, 2020, the Organization discovered a technical issue that caused the incorrect messaging inbox to be displayed to certain users for a short period of time (i.e. three hours). During this time, users might have inadvertently accessed the messages of other users when attempting to use their own inbox. The Organization investigated and found that a defect in its content delivery network (CDN) caused certain users? API requests to be cached incorrectly. The …
P2021-ND-278

College of Licensed Practical Nurses of Alberta

The Organization uses a Learning Management System (LMS), hosted by a third party service provider, Steppingstones Partnership, Inc. (Steppingstones). Steppingstones leases web servers and services from another third party, Web Hosting Canada. On October 14, 2020, Steppingstones received a notification from Web Hosting Canada concerning a security issue impacting one of their services. Several law enforcement agencies also discovered the incident on October 14, 2020, via a tweet that identified the compromised web address, and …
P2021-ND-277

The Manufacturers Life Insurance Company

On April 5, 2021, the Organization was notified of potentially unauthorized transaction activity on its web-based application involving customers of a contracted advisor. The perpetrator of the unauthorized access leveraged the advisor?s authentication credentials (username and password) to process fraudulent transactions. The Organization reported that the focus of the attack appears to have been financial fraud.
P2021-ND-276

Canfin Magellan Investments Inc.

On July 7, 2020, the Organization was informed by police that a stolen U-Haul van had been located and original documents belonging to the Organization were found in the van. The Organization believes the documents were stolen from a rented storage unit between August 2018 and June 2020. The Organization investigated the accounts of all affected active clients and did not identify any suspicious transactions or other account changes.
P2021-ND-275

Keyera Corp.

On October 27, 2020, the Organization?s human resources team uploaded certain personal employee information via a secure portal to a new group benefits and insurance provider for migration into the service provider?s systems. On November 4, 2020, an employee of the service provider inadvertently emailed a document containing the information at issue to an incorrect email address. The service provider confirmed the email was received by an active account in the “Hotmail” domain. The service …
P2021-ND-274

Alberta College of Social Workers

On March 3, 2021, the Organization mailed form letters, identifying steps required to avoid having a registration cancelled, to the wrong recipients. On March 9, 2021, one of the recipients telephoned the Organization to report the error. The Organization reported, ?One letter was returned to the Organization?s office and the second letter was confirmed destroyed by the member.?
P2021-ND-273

College of Physicians & Surgeons of Alberta

On April 23, 2020, a team member with the Organization contacted the Registrar of another professional college requesting a telephone conversation regarding an employee of the Organization. The team member disclosed the FTE status of the employee, without their knowledge or consent. The other professional college did not provide information regarding the employee, but suggested communicating with the employee directly. On April 24, 2020, the employee contacted the team member to request that, in future, …
P2021-ND-272

US Fertility LLC and Shady Grove Fertility

On September 14, 2020, the Organizations discovered that a third party had gained unauthorized access to some computer systems. Data on some of the servers and workstations were encrypted by ransomware. A forensic investigation confirmed that the unauthorized actor acquired a limited number of files during the period of unauthorized access, which occurred between August 12, 2020 and September 14, 2020. The Organizations reported there is no evidence of actual misuse of personal information as …
P2021-ND-271

The Commonwell Mutual Insurance Group

On March 3, 2021, the Organization became aware that an unauthorized third party had gained access to its IT system on February 24, 2021. The Organization reported that the unauthorized third party was able to gain access to elevated privileges and launch Cobalt Strike. Some registries were modified and suspicious files were created on the system. On March 26, 2021, the Organization learned that certain personal information may have been exfiltrated. All internal systems were …
P2021-ND-270

YMCA of Northern Alberta

On February 4, 2021, the Organization was the target of a break and enter. A cabinet that contained personal information was stolen.
P2021-ND-269

AltaSteel Inc.

On February 2, 2021, the Organization mailed out pay statements. Due to a folding and stuffing error, every second employee received two pay statements – theirs and that of another employee. The breach was discovered on February 4, 2021, when an employee informed the Organization they had received another employee?s pay statement along with their own.
P2021-ND-268

Modern Solutions Counselling Services Ltd.

On January 11, 2021, an unknown individual(s) broke into the Organization?s office. The perpetrators stole a laptop that contained medical reports regarding 19 identifiable individuals. The laptop was password protected but not encrypted. There is no indication that the perpetrators have been able to access the information on the laptop. The perpetrators also stole an unknown number of cheque receipts related to services the Organization provided to individuals insured by Canada Life. It is believed …
P2021-ND-267

TAM International Inc.

On or about Saturday, October 24, 2020, cyber criminals encrypted some of the Organization?s servers and network-connected computers and demanded a ransom to decrypt them. They also claimed that they had stolen files from the Organization?s servers, targeting some of the executive team. The Organization?s investigation discovered that the attack originated from a company laptop for an employee based outside of the United States. The laptop was compromised via a phishing email in March 2020, …
P2021-ND-266

Woodstream Canada

On August 24, 2020, the Organization discovered that a third party gained unauthorized access to the e-commerce platform of DynaTrap, a subsidiary of the Organization. A vulnerability on the e-commerce platform allowed for unauthorized installation of code on compromised systems. Data sent to and from the e-commerce platform between August 24, 2020, until September 9, 2020 may have been intercepted. On September 9, 2020, the access was terminated. The Organization investigated and identified the potentially …
P2021-ND-265

Ivari

On April 12, 2021, an insurance advisor saw a blinking message on her computer screen. The message appeared to be from ?Microsoft? and provided a number to call. The advisor called the number and followed instructions to download an ?Ultraview?, which allowed an unauthorized party to gain control of her computer. The unauthorized party indicated the advisor?s email and online banking were hacked, and asked for the toll free number on the back of her …
P2021-ND-264

Baker Funeral Chapel Inc.

On April 21, 2021, the Organization was subject to a ransom attack, which encrypted its network system. The cyber-criminal asked for a bitcoin payment in order to obtain a key to unlock the system. The affected files included templates for funeral bulletins and obituaries that have been published in newspapers. The Organization believes the breach occurred due to an invoice attachment that came in an email. On April 22, 2021, the Organization reported that all …
P2021-ND-263

Insurance Bureau of Canada

On January 28, 2021, an unknown third party temporarily gained unauthorized access to the email account of an employee of the Organization through a targeted email phishing campaign. On February 3, 2021, the unauthorized individual subsequently used the account to send phishing messages to certain contacts in the employee?s mailbox. On February 4, 2021, the Organization alerted recipients of the February 3, 2021 message that it could pose a security risk and should not be …
P2021-ND-262

Take-Two Interactive Software, Inc.

On April 6, 2021, the Organization discovered that its web-store was the subject of a credential stuffing attack which took place between March 19 and 30, 2021. The unauthorized third party logged into accounts using valid credentials obtained from an unknown source. Once logged in, the unauthorized third party redeemed game codes and had access to personal information in the accounts.
P2021-ND-261

BSH Home Appliances

In early December 2020, the Organization investigated several customer complaints regarding unauthorized credit card transactions. The Organization discovered that a temporary employee in the United States had been improperly requesting credit card information from callers and using that information to make unauthorized purchases. The Organization promptly terminated the employee as such collection and use was not authorized and contrary to the Organization?s policies.
P2021-ND-260

Saskatchewan Blue Cross

On April 20, 2021, the Organization discovered it was the victim of a ransomware incident that resulted in the encryption of, and unauthorized access to, certain of its systems. The Organization determined that the incident was perpetrated by a third party threat actor that exfiltrated certain categories of data. The Organization?s investigation also determined that the root cause of the incident and compromise of its systems was likely through a phishing email, although the root …
P2021-ND-259

Le Creuset Canada Inc.

On June 7, 2021, the Organization discovered it was the subject of a cyberattack when a malware alert was triggered. An investigation determined that on or about June 4, 2021, a threat actor gained access to the Organization?s network via legacy network appliances/services and compromised credentials. It is not known how the credentials were obtained. The threat actor gained access to user accounts with elevated privileges through brute-force attack. The incident was contained on or …
P2021-ND-258

Blue Cross Life Insurance Company of Canada

On April 20, 2021, SBC discovered it was the victim of a ransomware incident that resulted in the encryption and unauthorized access to certain of its systems. On April 23, 2021, SBC advised the Organization that personal information relating to its disability claims might have been affected. On May 4, 2021, SBC advised the Organization that information relating to life and disability claims was accessed and provided an initial indication of the number of affected …
P2021-ND-257

Bunge Canada

The Organization reported that ?a shipment of documents containing personal information was aboard a courier delivery vehicle that was stolen?. The incident occurred on March 11, 2021. The courier company reported the incident to the Organization and advised that it is working with law enforcement to retrieve the package.
P2021-ND-256

Canalta Real Estate Services o/a Ramada Cochrane

On February 28, 2021, a storage shed belonging to the Organization was broken into. The break-in was discovered on March 1, 2021, and reported to the RCMP. At the time, only recyclables were noticed to have been stolen. On March 15, 2021, the local police service contacted the Organization and advised they discovered 17 hotel documents containing personal information at a motel in the Calgary area.
P2021-ND-255

The Ferrance Group

On March 12, 2021, an employee with the Organization inadvertently sent an email containing a notice for online sessions to multiple email addresses using the ?To? field instead of the ?Bcc? field. The breach was discovered on March 13, 2021, when one of the recipients reported the error to the Organization.
P2021-ND-254

Victoria?s Secret Stores Brand Management

Between April 13, 2021 to April 14, 2021, the Organization learned that an unauthorized party gained access to personal information in certain of its online accounts. The Organization determined that the unauthorized access to the online accounts was caused by a credential-stuffing bot attack during the course of an application update. The Organization reported that the incident did not arise based on a breach of its security safeguards, but rather, the apparent reuse of legitimate, …
P2021-ND-253

Alberta College of Speech-Language Pathologists & Audiologists

On March 12, 2021, several employees of the Organization were the target of an email phishing attack. Two employees provided passwords that would give access to their email accounts. The Organization reported the breach was discovered when employees found that providing their password did not allow them to login to their email account. On March 13, 2021, the Organization identified one unknown actor gained access to the email account to one of the two employees? …
P2021-ND-252

Goodfellow Inc.

The Organization reported that its core systems were encrypted with ransomware on September 24, 2020. A ransom demand indicated that sensitive information would be disclosed if a payment was not made. There is evidence that some personal information was exfiltrated but the full scope of the exfiltration has not yet been determined. As of the date of the Organization?s report of the breach, there is not information indicating that any personal information that may have …
P2021-ND-251

E & J Gallo Winery

On November 17, 2020, the Organization experienced a cyber incident designed to encrypt files and disrupt its business operations. An investigation determined that an unauthorized party gained access to the Organization?s systems between November 7, 2020 and November 17, 2020, during which time certain information on some servers may have been accessed or acquired. The Organization reported the breach was discovered on January 15, 2021, when unusual activity occurred on the network.
P2021-ND-250

Airbnb Ireland UC

On April 2, 2021, the Organization discovered a technical vulnerability involving user accounts that had been subject to an ?account takeover? (ATO). The Organization reported that the vulnerability did not cause the ATOs; however, it permitted a malicious actor engaged in an ATO to remain logged in to user accounts after the Organization had taken steps to terminate access and force a password reset. The Organization reported it previously informed its users that their accounts …
P2021-ND-249

Vision Credit Union Ltd.

On December 10, 2020 and March 25, 2021, the Organization forwarded personal information by email to an incorrect email address. The unintended recipient mentioned in a Facebook posting that they had received someone else’s information. The Organization reported the breach was discovered on April 23, 2021.
P2021-ND-248

American Frame Corporation

On August 1, 2020, the Organization was the subject of a cyberattack involving the encryption of data and a ransom demand in exchange for decryption (ransomware). The Organization reported that personal information was exposed and may have been accessed during the attack.
P2021-ND-247

Hayward Pool Products Canada, Inc.

A document containing personal information about customers was intended to be placed in a password-protected secure folder that could only be viewed within the Organization by those with access to it via password. Inadvertently, the document was placed in a different folder that was not password-protected and whose contents could be viewed online outside of the Organization. The breach was discovered on February 10, 2021, when a member of the public notified the Organization that …
P2021-ND-246

Canadian Western Financial Ltd. (Mutual Fund Dealer, subsidiary of Canadian Western Bank)

A client with the Organization requested that email correspondence be sent to him at two separate email addresses: one a work email and the other a personal email. An employee with the Organization entered the personal email address of the client incorrectly when sending an email on January 28, 2021. The breach was discovered on February 1, 2021 when the client successfully received the email at his work email address and noticed that the personal …
P2021-ND-245

World Financial Group Insurance Agency of Canada

On January 28, 2021, an agent’s assistant sent emails containing a partially completed trade ticket to a client for his review and signature. The client notified the agent that no email was received. On January 29, 2021, the agent?s assistant resent the emails. Again, the client confirmed that no email was received. The agent check his assistant’s outbox and noticed that the email address for the client was incorrect.
P2021-ND-244

Florinda Financial Planning Inc.

On April 5, 2021, the Organization learned that its customers were impacted by unusual activity that was transacted through a third party web-based portal. The Organization reported that the breach appears to be the result of unauthorized access using an advisor?s authentication credentials (username and password). The Organization reported that this unauthorized access by the perpetrator appears to have been used to process fraudulent transactions on customer accounts. The breach occurred between March 23, 2021 …
P2021-ND-243

SkipTheDishes Restaurant Services Inc.

On April 5, 2021, the Organization learned of suspicious activity on its network. The Organization investigated and found a small number of instances where fraudsters were bypassing two-factor authentication (2FA) by chatting with agents, posing as customers and requesting that account telephone numbers be changed. In most cases, the fraudster was able to supply the original telephone number on the account, as well as the customer?s email address and, in some cases, a delivery address. …
P2021-ND-242

Westech Industrial Ltd.

On February 10, 2021, the Organization detected suspicious network activity on its servers. The following day, February 11, 2021, the Organization received a ransom demand via email. The Organization reports that although deployment of ransomware was threatened, no malicious files were found nor were files encrypted. No root cause of the breach was identified.
P2021-ND-241

The Debriefing Academy Inc.

The Organization uses a third party (Webeteer Inc.) for website development and support. At the time of the breach, Webeteer Inc. subcontracted hosting to another third party, GreenGeeks. On December 6, 2020, the Organization found that its WordPress website was not functioning properly. The Organization notified its website development provider who subsequently responded to the incident. The Organization determined that a malicious actor gained access to the server environment, which includes a database of registered …
P2021-ND-240

TGM Law

On October 7, 2020, the Organization?s office was broken into. The perpetrators stole a laptop, petty cash, and other physical items. The laptop was linked to a cloud server. The Organization reported that ?We have no indication the informaiton (sic) on this laptop has been accessed.?
P2021-ND-239

Forty Creek Distillery Ltd. o/a/ Campari Canada

On November 1, 2020, the Organization detected that it was the target of a malware attack. The unauthorized actor gained access to certain of the Organization?s servers, which included some employee and contractor information contained in the Organization?s global email and telephone directory. The Organization reported it believes the unauthorized actors accessed the network between October 28 and October 29, and perhaps even as early as October 21, 2020.
P2021-ND-238

Dillon Consulting Ltd.

The Organization was a victim of a ransomware attack that encrypted its entire operational IT infrastructure. On the morning of July 10, 2020, the attackers gained access to four (4) workstations and between July 10 and July 19, 2020, the threat actor was able to compromise multiple servers, encrypting all information, and effectively holding the Organization?s operational data hostage. The ransom note indicted that data was exfiltrated, though it did not describe the data. The …
P2021-ND-237

Trans Union of Canada Inc.

The Organization operates an online consumer solutions portal called ?OCS?, which enables consumers to access their consumer disclosure. Each time a consumer wishes to access credit information through OCS, the consumer must provide sufficient personal information to match to their credit file and then authenticate their identity by successfully answer a series of questions generated from information on their credit file, as well as other sources. On October 22, 2020, the Organization noticed an unusually …
P2021-ND-236

IMI Precision Engineering d/b/a Bimba Manufacturing

On November 20, 2020, the organization?s vendor was informed that the vendor?s service provider had a vulnerability on the server(s) that hosted one of the Organization?s websites, Bimba.com. As a result, an unauthorized user may have been able to access or acquire the personal information of the Organization?s customers. The unauthorized user inserted malicious code into web files causing unencrypted copies of e-commerce transaction data to be diverted to the unauthorized user. The information may …
P2021-ND-235

Calgary Meals on Wheels

On January 4, 2021, a driver with the Organization inadvertently left a clipboard with client addresses attached on top of his vehicle while out on delivery. The clipboard slid off the car roof. The driver realized the clipboard was missing and drove back. The driver was able to retrieve the clipboard but none of the sheets with addresses were attached on it. The Organization said, ?Given the wet and slushy road conditions, the information most …
P2021-ND-234

A.K. Ross Professional Corporation

On June 3, 2019, the Organization?s internet service provider upgraded its modem to a newer model; however, the new modem was not set up with the same privacy settings as the old modem. On February 19, 2020, the Organization was notified by one of its clients that a tax document from 2015 stored on the back-up drive at the Organization?s office had been accessed by his bank?s security department. Upon review of the drive, it …
P2021-ND-233

Women Building Futures Society

On January 6, 2021, an employee with the Organization sent an email containing a student’s financial information to another student in error. This was the result of typing in an incorrect email address. The breach was discovered the same day when another recipient of the email, an employee of the Organization, contacted the sender to advise of the error.
P2021-ND-232

2364920 Alberta LTD. o/a PORTpass Inc.

The Organization initially reported that, on September 27, 2021, it was notified by a journalist about a ?vulnerability on our end-point of a url that was hidden on the web portal version …?. The breach occurred when the Organization?s ?external team? was ?adding various end-to-end encryption on the web portal version on AWS for users that don?t have mobile phones for the app?. The Organization reported that it turned off its server ?within 5 minutes …
P2021-ND-231

New Arlington Realty Inc.

On or about November 11, 2020, a workstation and user account was compromised by an unauthorized third party, enabling a threat actor to access the Organization?s network. On November 14, 2020, after ransomware had been deployed on the network, the Organization?s Information Technology (IT) provider discovered the breach. A ransom note was also found. Further investigation found that the compromised workstation and user account had authorizations and administrative access beyond what was necessary.
P2021-ND-230

La Leche League International

In May 2020, the Organization?s cloud-based software and data hosting solutions provider (Blackbaud) was targeted by a ransomware attack during which threat actors managed to remove a subset of data from Blackbaud’s self-hosted environment, which included data being processed by Blackbaud for the Organization. On or around July 16, 2020, the Organization received a notification from Blackbaud informing it of the incident. The cybercriminal encrypted Blackbaud’s data and demanded a ransom payment.
P2021-ND-229

Christian Labour Association of Canada

On October 15, 2020, the Organization was subject to a ransomware attack. The Organization reports that servers were encrypted and records were likely exfiltrated. The Organization was unable to determine how the attacker gained access to their environment.
P2021-ND-228

SE Canada Inc.

On November 11, 2020, the Organization discovered that it was the victim of a ransomware attack by an unauthorized third party. Based on its investigation, the Organization determined that the unauthorized user possibly had access to its systems as early as October 9, 2020. The Organization reported that there is no indication that the data has been used or misused.
P2021-ND-227

American Health Information Management Association

The Organization maintains an online store (https://my.ahima.org/store/), through which customers can make purchases and register for courses. The Organization learned of potential suspicious activity occurring in the online store, took immediate steps to secure its system and conducted an internal investigation. On December 3, 2020, the Organization?s investigation determined that the incident involved the payment card information of customers who made purchases through the online store between June 26, 2020 and June 29, 2020 as …
P2021-ND-226

College of Licensed Practical Nurses of Alberta

The Organization received a complaint alleging unprofessional conduct by a member. On November 6, 2020, an employee inadvertently emailed the letter to an unintended recipient, instead of the Complaints Director. The unintended recipient is another member. The unintended recipient notified the Organization of the error. The Organization telephoned the unintended recipient on November 13, 2020 to discuss deleting the complaint and assisted in deleting the email. The unintended recipient confirmed through email on November 13, …
P2021-ND-225

Employee Benefit Funds Administration Ltd.

? On October 23, 2020, the Organization sent a member?s pension statement to another plan member in error. ? The unintended recipient notified the Organization of the error the same day.
P2021-ND-224

Bear Creek Funeral Home

On October 27, 2020, the Organization placed an envelope of documents and a small parcel of ashes in a Canada Post mailbox in Grande Prairie AB. In November 2020, the Organization contacted Canada Post to see if the package had been scanned in yet. Canada Post informed the Organization that the package had not been received at distribution and to check back. On March 10, 2021, the Organization opened a ticket with Canada Post to …
P2021-ND-223

Walton Global Holdings, Ltd.

On May 4, 2020, a threat actor used a compromised Organizational email account to fraudulently request a large wire transfer. The employee(s) who received the wire transfer request sought verbal confirmation from the requestor. Upon doing so, it was discovered that the request was fraudulent. The Organization?s investigation determined that the threat actor had access to two email accounts between April 7 and May 20, 2020. The email accounts contained personal information which would have …
P2021-ND-222

Anvil Corporation

On March 11, 2021, the Organization suffered a ransomware attack. It was later determined that the attacker had access to the Organization?s network as early as February 9, 2021. The root cause of the initial breach was not reported. On April 12, 2021, the Organization?s investigation determined that attackers were able to view and download records containing the personal information of current and former employees.
P2021-ND-221

Wealthsimple Inc.

On March 5, 2021, the Organization detected unauthorized access to user accounts. It reported the unauthorized access was the result of a credential-stuffing attack. An investigation determined that the credentials were not obtained from the Organization?s network. Instead, it is believed that the unauthorized actor obtained user account credentials from a third party. Subsequently, individuals who re-used the same username and password combination for other services, as obtained by the attacker from the third party, …
P2021-ND-220

Syncrude Canada Ltd.

The Organization?s information and technology support services are supplied by an external IT service provider. These services include the management of a server used by the Organization?s payroll to store payroll files. On August 11, 2021, an analyst with the Organization was performing testing and noticed improper server access settings, enabling access by all users with a LAN account logged into the network. The improper server access settings were in place as early as June …
P2021-ND-219

START Architecture Inc.

On January 25, 2021, the Organization discovered suspicious activity from one of its email accounts. The Organization determined that an employee with the Organization was a victim of a phishing attack that compromised their email mailbox login credentials. Between January 14, 2021 and January 25, 2021, the perpetrator used the credentials to send further phishing emails from the impacted person?s account.
P2021-ND-218

UiPath SRL

On approximately November 30, 2020, a third party notified the Organization that a file containing what appeared to be registration information of certain UiPath Academy participants was accessible on a publicly-available website. The Organization investigated and determined that the content of the file identified by the third party matched the content of a file maintained by the Organization on a third-party cloud server. This file was last updated by the Organization on approximately March 17, …
P2021-ND-217

Calgary House of Cars 6 Inc.

On December 7, 2020, the Organization discovered that intruder(s) gained access to their office and seized a desktop computer, as well as hard copies of certain files. The computer is password-protected and is being monitored via the Organization?s system. The Organization reported that it would be necessary for any illicit user to hack the device’s password as well as several further levels of encrypted software in order to access information on the system; further, all …
P2021-ND-216

Guillevin International Co.

On September 8, 2020, the Organization was the subject of a ransomware attack. A user account, compromised by phishing, was used in the incident. It is reported that the attackers may have had access to the Organization’s network as early as August 13, 2020. The Organization’s investigation determined that personal information was exfiltrated, however, some of the records were protected with a password.
P2021-ND-215

Sonita Goehring Counselling Services Inc.

On February 22, 2021, a student accessed a client’s confidential file without authorization. The breach was discovered the same day.
P2021-ND-214

IPC Securities Corporation

On March 1, 2020, a client emailed the Organization to advise that his mail was being delivered to his old address and to provide the Organization with his updated address. An employee matched the client name to another client in the Organization?s database who had an identical first and last name and similar address. The employee did not validate additional information to ensure the correct client information was updated. Between March 1, 2020 and July …
P2021-ND-213

Wilson M. Beck Insurance (Alberta) Inc.

On February 2, 2021, a phishing email was sent to an employee of the Organization. The breach was discovered on February 2, 2021 when an employee emailed the Organization?s IT department after a client reached out regarding a suspicious email received from the employee.
P2021-ND-212

Richardson Wealth Limited

On January 28, 2021, an employee with the Organization clicked on a link in a phishing email, which gave unauthorized actors her credentials and access to the employee?s email box. The Organization conducted a review and determined that there were 16 emails that contained sensitive personal information that could potentially create a risk harm for five individuals in Alberta. The Organization reported that it is unknown whether the unauthorized actors actually read the emails and …
P2021-ND-211

Fat Face Ltd.

On January 17, 2021, the Organization identified suspicious activity within its IT systems. An investigation determined that unidentified threat actors gained access to certain systems during a limited period of time from December 25, 2020. On January 18, 2021, the Organization contained the incident and began reviewing and categorizing the data potentially involved in the incident. On March 9, 2021, the Organization determined that there are a number of customers in the database tables that …
P2021-ND-210

Assured Psychology

The Organization sent a series of emails to a new client, related to scheduling an appointment. On December 31, 2021, the Organization discovered that the emails were sent to the wrong email address. The Organization reported the incident occurred between December 22, 2020 and December 31, 2020.
P2021-ND-209

Zumiez Canada Holdings Inc.

On January 18, 2021, the Organization discovered suspicious activity involving its Canadian e-commerce platform (www.zumiez.ca). The Organization identified and removed unauthorized script in the code the same day. The added code was capable of obtaining information entered by customers during the checkout process and sending it out of its system. The Organization?s investigation show the code was first added on August 16, 2020 and there were several times between August 16, 2020 and January 16, …
P2021-ND-208

Golf Avenue Inc.

On January 7, 2021, the Organization discovered a key logger on its e-commerce platform upon completing a routine vulnerability scan. The Organization confirmed that, on December 27, 2020, an administrator account was used to upload a picture containing malicious PHP code to the Organization?s catalog of website photos. The malicious code acted as a key logger that captured the information entered by the Organization?s customers upon checkout. Customer personal information and payment details entered on …
P2021-ND-207

Southport Psychology Inc.

On May 27, 2020 and June 1, 2020, the Organization mistakenly sent a completed intake package to two unintended recipients, instead of a blank form. On June 1, 2020 and June 2, 2020, the unintended recipients notified the Organization of the error. The Organization asked the unintended recipients to delete all records received in error.
P2021-ND-206

Edward Jones (an Ontario Limited Partnership) (Edward Jones Canada)

On May 11, 2020, the Organization detected unusual attempts to access certain client information. The Organization took steps to block access and to investigate. The Organization determined that between March 30 and May 18, 2020, an unauthorized party leveraged client credentials, to access client account information. The Organization reported it has no evidence that these usernames and passwords were obtained through its systems. The Organization reported that the attack merely confirmed that the credentials were …
P2021-ND-205

PFSL Investments (Canada) Ltd.

Sometime between June 7-8, 2020, a burglary took place at the office of one of the Organization?s independent sales representatives. An unknown individual(s) broke into locked filing cabinets and removed various client files. The Organization suspects that the files may have contained personal information.
P2021-ND-204

Wealthsimple Financial Corp.

On October 13, 2020, the Organization became aware of a credential stuffing incident involving suspicious attempts to access data from certain user accounts. The unauthorized third party was able to log into client accounts between October 9, 2020, and October 13, 2020, using a valid email address and password. The Organization?s investigation discovered that passwords were not obtained from its systems. The Organization believes that an unauthorized individual may have obtained client passwords from another …
P2021-ND-203

The Canada Life Insurance Company

The Organization provides group benefits plans and services. Plan members access benefits services, information, and submit claims via a website provided by the Organization. On June 23, 2020, a software upgrade for the plan member website resulted in caching issues; when plan members attempted to access their information on the website, they were instead shown information about a different plan member. The Organization took the service offline after a plan member called in to advise …
P2021-ND-202

Minerals Technologies Inc.

On or about October 20, 2020, the Organization was victim to a ransomware attack. The incident was discovered when employees found access to their devices was restricted. On October 22, 2020, the Organization?s breach investigation determined that personal information about its current and former employees may have been accessed by the threat actor.
P2021-ND-201

Datatax Business Services Limited

On December 18, 2020, the Organization was victim to a ransomware (MountLocker) attack that infected several PCs and servers. The incident was discovered the same day when staff found anomalous files on their computers. The Organization was unable to determine the cause or entry point of the attack.
P2021-ND-200

USNR, LLC

On or about September 28, 2020, an employee downloaded and executed a malicious software (Chrome) update. The malicious update contained malware that enabled attackers to remotely access the Organization?s network without authorization. On October 25, 2020, approximately a month after the initial breach, the attackers encrypted various systems. The intrusion was detected on the same day when encrypted files and a ransom note were found. It is reported that the attacker was able to access …
P2021-ND-199

Home Hardware Stores Limited

On February 18, 2021, the Organization?s Information Technology (IT) staff found maliciously encrypted files while troubleshooting IT infrastructure that was not operating properly. Investigation of the incident determined that suspicious network activity began on February 12, 2021, when an unauthorized party appeared to be logging in and testing credentials. The unauthorized party deployed ?hacking tools? on February 16 and 17, 2021. Lastly, a ransomware attack was deployed on February 18, 2021. Attempts to attack the …
P2021-ND-198

Royal Camp Services Ltd. and its subsidiaries and affiliates Summit Camp Services Ltd. and Chief Isaac Summit Camp Services Ltd.

On August 26, 2020, the Organization was the victim of a cybersecurity attack by an unauthorized third party who deployed ransomware and encrypted parts of the Organization?s technology infrastructure. The Organization discovered that the unauthorized third party may have gained access to the personal information of current and former employees of subsidiaries and affiliates. The Organization reported there was no evidence of exfiltration of files. The Organization determined that the unauthorized user had access to …
P2021-ND-197

Combined Insurance Company of America

On Friday, October 30, 2020, an employee sent an email and mistakenly added the contact list of email recipients to the email itself. The list contained contact information of 415 individuals (independent contractors) and was emailed to all 415 individuals on the list. The contact list was not password protected. The employee who sent the email discovered the error and tried to recall it. On November 2, 2020, an email was sent to all recipients …
P2021-ND-196

DirectVapor, Inc.

On September 23, 2020, the Organization became aware of suspicious activity associated with its online checkout page. The Organization investigated and determined that an unauthorized user had gained access to its online payment platform and payment card information entered between September 14, 2020 through September 23, 2020.
P2021-ND-195

Angeion Group

On July 17, 2020, the Organization learned that between March 30, 2020 and May 4, 2020, an unknown unauthorized third party remotely accessed the corporate email box of an employee. The email box included personal information associated with claims administration files and related communications. The Organization reported that the cause of the unauthorized access has not been determined. The breach was discovered on July 17, 2020 in the course of investigating another matter involving the …
P2021-ND-194

Victoria?s Secret Stores Brand Management

The Organization experienced a credential-stuffing attack which took place over an approximately four-hour period on November 9, 2020. As a result, an unauthorized individual gained access to personal information in certain of the Organization?s online accounts. The attack was detected and later blocked by the Organization while it was still in progress. The Organization reported that, based on its investigation, the incident resulted from the apparent reuse of legitimate, recycled credentials (usernames and passwords) that …
P2021-ND-193

Mosaic Primary Care Network

On October 17, 2020, a shared administrative user account was used to gain unauthorized access to the Organization?s Office 365 SharePoint site (and linked files). An audit log review revealed that the threat actor accessed, viewed, and downloaded files, and uploaded a file (an image file ? ransomware.jpg) from/to the Organization?s SharePoint site. User accounts were also removed from the site. The breach was discovered on October 17, 2020.
P2021-ND-192

SiteOne Landscape Supply, Inc.

Between July 2 and July 14, 2020, the Organization?s network was subject to unauthorized access, including the exfiltration of files, by a threat actor. A threat actor gained access to the Organization?s network using the account credentials of an employee. It is unclear how the credentials were compromised. The incident was discovered on July 14, 2020, when an internal alert notified the Organization that one of its systems was down. On September 4, 2020, the …
P2021-ND-191

College of Physicians and Surgeons of Alberta

The Organization received a complaint from a physician about three other physicians. The full complaint was copied to all three physicians on November 18, 2019, without redacting the complaint information about the other physicians. A second breach occurred when the resulting Investigation Report was sent to all three physicians on March 2, 2020, allowing each physician to see the practices of the others, as well as the complaint history and formal undertaking that one of …
P2021-ND-190

Power Survey and Equipment Ltd DBA Powerside

On August 10, 2020, the Organization received a suspicious phishing email from fraudsters impersonating an employee. Upon learning of the incident on August 31, 2020, the Organization investigated. As a result of the investigation, the Organization believes that an unauthorized person breached its email security systems and accessed the email account of its employee. The Organization?s believes that the intruder had access to this employee?s emails and contact information and set up an email forwarding …
P2021-ND-189

TingleMerrett LLP

On June 23, 2020, the Organization attempted to serve its client’s documents on an opposing self-represented party via both courier and email. On June 26, 2020, the recipient advised the Organization that the documents were served on an incorrect email address. The Organization immediately requested the unintended recipient delete all material sent via email. On June 26, 2020, the Organization advised the opposing party of the inadvertent disclosure of her personal information to the unintended …
P2021-ND-188

rewardStyle Inc.

On March 8, 2020, the Organization identified unusual activity on its websites rewardstyle.com and about.rewardstyle.com. The Organization investigated and found that an attacker had the ability to take over and redirect the website URLs but the investigation was inconclusive with respect to any access to the Organization?s information. The Organization reported that there was no unauthorized activity after March 8, 2020. On June 1, 2020, the Organization discovered that unauthorized individual(s) may have acquired certain …
P2021-ND-187

Edward Jones (an Ontario Limited Partnership) (Edward Jones Canada

On Thursday, July 23, 2020, the Organization received a notice from its service provider, SEI Investments Canada Company (SEI), about a security incident. SEI informed the Organization that personal information in the custody of SEI?s own service provider, M. J. Brunner, Inc. (Brunner) was affected by a ransomware attack. Brunner provides services to SEI in connection with optimizing the delivery of SEI?s services. The Organization reported that the attack on SEI’s vendor systems occurred on …
P2021-ND-186

FreeThink Capital Inc.

On or around July 15-16, 2020, an intruder broke into the Organization?s office. Some unopened mail was moved on the reception desk, all locked filing cabinets were forcibly opened, and some paperwork was removed. The Organization does not believe that any of the mail or paperwork was taken. Other than small amounts of cash found in employee workstations, the only piece of office hardware stolen was an employee’s laptop. The Organization is confident that the …
P2021-ND-185

2026465 Alberta Ltd.

The Organization reported that, in January 2020, a number of employees requested their T4 tax forms. The Organization?s accountant emailed the tax forms to the Organization; the same email was then forwarded to the employees. As a result, the employees inadvertently received all T4s and not just their own. In January 2021, one of the employees made a complaint to my office about receiving his/her T4 tax form with other tax forms in the same …
P2021-ND-184

The Association canadienne-francaise de L?Alberta

Le Journal Franco-Albertain Ltee. (Le Franco) is a corporation incorporated under the Business Corporations Act. The Organization took over the administration of Le Franco pursuant to a Unanimous Shareholders Agreement. As a result, the powers of the present Members of the Board of Le Franco were suspended. The Organization became aware that a former Board Member of Le Franco posted personal information on his personal Facebook account that may contain personal information of a former …
P2021-ND-183

Center Street Church

On June 13, 2020, the Organization began to experience system outages. An investigation revealed that two servers had been encrypted by ransomware. The Organization did not pay the ransom and reported the incident to the authorities. The Organization restored the servers from backup copies. The Organization reported that it does not have any evidence or direct indication that sensitive data was copied (exfiltrated) in addition to being encrypted, but said it cannot rule out the …
P2021-ND-182

New Horizons Car & Truck Rentals Inc., operating as Discount Car and Truck Rentals

On January 20, 2021, the Organization was the victim of a cyber-attack. The breach was detected 19 days later on February 8, 2021, when the Organization detected ransomware on its systems. The Organization?s investigation determined that, in addition to encrypting some servers, the attacker may have exfiltrated unstructured email and email attachment data from some of the Organization?s systems. The root cause of the incident was not reported by the Organization.
P2021-ND-181

Leede Jones Gable Inc.

On September 27, 2020, the Organization was the victim of a ransomware attack. The incident was discovered the same day when employees were unable to remotely access some systems. The attacker used compromised account credentials to access the Organization?s network over a VPN and then deployed post-exploitation tools and ransomware. The attacker encrypted a number of the Organization?s servers, PCs, and exfiltrated data. Exfiltrated records were published on the dark web for four days prior …
P2021-ND-180

National Intramural and Recreational Sports Association

The Organization uses a third-party service provider for e-commerce. On or around May 7, 2020, the Organization?s third-party vendor reported a known vulnerability impacting the Organization?s systems. The Organization investigated the vulnerability, and on May 26, 2020, became aware of suspicious activity on its e-commerce site. It was discovered that an unauthorized party exploited the vulnerability on April 6, 2020, exposing personal information. The Organization reported ending the breach on June 3, 2020. On July …
P2021-ND-179

NUUD Inc. o/a HUSH Lingerie and More

On February 5, 2019, the Organization was informed by another franchise owner that individuals from the corporate store entered the Organization?s location saying they were there to update the Organization?s point of sale system. The Organization believed these actions to be suspicious as the corporate office did not provide IT support previously. On February 8, 2019, the Organization discovered spyware (called ?Spyrix?) installed on its computer remotely. On February 14, 2019, the Organization contacted the …
P2021-ND-178

Underwriters Laboratories of Canada Inc.

On February 13, 2021, the Organization detected unusual activity on its systems. The Organization found that the unusual activity related to an attempt to encrypt certain systems by an unauthorised third party. The Organization?s preliminary findings indicated that the threat actor?s primary objective was to cause disruption to the Organization?s operations in order to extract a ransom. The Organization reported it has no reason to believe that any personal data relating to data subjects in …
P2021-ND-177

Brewmaster Coffee Enterprises (M.H.) Inc.

Sometime between May 15 and May 29, 2020, two flash drives storing used to store encrypted and unencrypted electronic data were misplaced or lost. The breach was discovered on May 29, 2020, when the device was needed for an update and could not be found.
P2021-ND-176

Keyera Corp.

On July 13, 2020, an employee with the Organization sent an email containing PDF copies of an employee?s termination letter to an unknown recipient with an email address similar to the employee. The error was discovered the following day when the intended recipient contacted the Organization asking about the status of the email. The Organization tried to recall the email and confirm its deletion, but could not do so.
P2021-ND-175

Canadian Medical Association

Between October 6 -21, 2020, as the result of a phishing incident, email messages received in an employee?s inbox were forwarded to an unknown webmail account. The incident was discovered on October 21, 2020 by the Organization?s IT team. Several employees received the message, but only one employee clicked on the ?attachment?. The Organization reported it not aware of any incidents of unauthorized use of the information at issue, and the Organization?s data breach monitoring …
P2021-ND-174

BDO Canada LLP

Sometime between April 3, 2020 and April 6, 2020, the Organization?s Edmonton office was broken into. The break-in was discovered on April 6, 2020 when an employee attended at the office. At the time of the break-in, the Organization did not identify any missing personal information; however, it reported it now believes that Canada Revenue Agency 2019 Pre-Bankruptcy Notices of Assessment and accompanying cheques may have been stolen. The documents had been sent to the …
P2021-ND-173

NFP Canada Corp.

On August 7, 2020, one of the Organization?s client service representatives sent a waiver form to a client which contained the new address of her ex-husband. On the same day, the ex-husband notified the Organization that his new address should not have appeared on the document. The Organization reported that all communications had previously been jointly with the husband and wife (both were copied on all emails) and at no point did the husband tell …
P2021-ND-172

Co-operators General Insurance Company (CGIC), Co-operators Life Insurance Company (CLIC)

In late 2019, the Organization discovered that an employee with one of its independent agencies emailed several documents containing client personal information to his personal email account. The Organization also discovered that this individual might have taken physical documents containing client personal information. The Organization reported that, at the time, the individual was an employee with the independent agency and thus a representative of the Organization and while the emailing was inappropriate, the Organization felt …
P2021-ND-171

World Financial Group Canada Inc.

On or about April 6, 2020, an advisor with the Organization had their vehicle stolen from their driveway. In the vehicle was a workbag with a password-protected laptop containing client information. The advisor’s spouse discovered that the vehicle was missing on their way to work.
P2021-ND-170

Rocky Credit Union Ltd.

On June 18, 2020, an employee with the Organization was helping a member who asked for balances on his accounts. The employee was possibly in the member?s wife?s profile, and gave the balance of a youth?s savings account to the member. The member is not a signer on the youth?s savings account and therefore should not have had that information. The breach was discovered the same day, when the member?s wife contacted the Organization to …
P2021-ND-169

Cornerstone Building Brands

On August 3, 2020, the Organization discovered unusual network activity. The Organization?s investigation determined that an unauthorized party gained access to the network between August 3, 2020 and August 9, 2020. The Organization conducted a comprehensive review of all files involved, and determined on October 22, 2020, that they contained personal information. The unauthorized party acquired copies of certain information pertaining to a limited number of individuals that was stored within the Organization?s systems. The …
P2021-ND-168

ARCH Psychological Services

On September 25, 2020, an email attachment containing the name of a potential client and a preliminary retainer agreement was sent in error to the wrong potential client. The error was discovered on September 28, 2020 when the Organization was reviewing the previous day?s communications. The Organization reported that it emailed and left numerous telephone messages to obtain acknowledgment of the communication and asking the unintended recipient to delete the email with the incorrect attachment. …
P2021-ND-167

Gienow Renovations

On August 3, 2020, the Organization discovered unusual network activity. The Organization?s investigation determined that an unauthorized party gained access to the network between August 3, 2020 and August 9, 2020. The unauthorized party acquired copies of certain information pertaining to a limited number of individuals that was stored within the Organization?s systems. The Organization reported that it had no evidence that the personal information has been misused, and arranged for the unauthorized party to …
P2021-ND-166

Communauto Inc.

Between December 19 and 20, 2020, the Organization was victim to ransomware (Sodinokibi), resulting in the encryption of a significant number of servers and workstations. It is reported that an administrative password was compromised as a result of phishing, and was subsequently used in the attack. The Organization reports that the threat actor exfiltrated records from its servers. It is also stated that the attackers eventually destroyed the records they exfiltrated.
P2021-ND-165

American College of Emergency Physicians

On September 7, 2020, the Organization discovered unusual activity on its e-commerce site and commenced an investigation. On September 24, 2020, the investigation confirmed that payment card information used for a subset of purchases on the e-commerce site between May 21, 2020 and September 22, 2020 was potentially subject to unauthorized acquisition. Once the Organization confirmed the scope of the incident, it took steps to identify which customers may have been impacted and identified address …
P2021-ND-164

RBC Life Insurance

A claimant submitted a claim under a group disability policy owned by the claimant?s employer. On June 29, 2020, the Organization drafted two separate letters to communicate their decision about the claim. One letter addressed to the claimant included the details of the decision and the second letter addressed to the employer included limited details. In error, the mail room placed both letters into the same envelope addressed to the employer. On July 23, 2020, …
P2021-ND-163

Clear Sky Capital Inc.

On May 1, 2020, the Organization?s accounting firm mailed end of year tax forms to the Organization?s clients. The tax forms were inadvertently printed double-sided. As a result, certain clients of the Organization received their own tax form and the tax form for another client.
P2021-ND-162

Johnston Group Inc.

The Organization is an employee benefits plan administrator and its client portal allows individuals to submit and track medical claims through their employers? plan. On November 9, 2020, the Organization was subject to a brute-force attack against the Organization?s client portal. The actors were trying to gain access to client accounts by trying to log in with various account names (many of which were invalid). The Organization determined that the login attempts came from a …
P2021-ND-161

YSS Corp.

On May 15, 2020, the Organization was informed that on or about May 9 or 10, 2020, an unknown individual gained entry to the Organization?s Head Office in Calgary. The Organization determined that no paperwork, including personnel or payroll records, was missing and, accordingly, it initially believed that there was no loss of or unauthorized access to personal information. On August 4, 2020, the local police service (CPS) contacted the Organization as a part of …
P2021-ND-160

Alberta College of Social Workers

On July 22, 2020, an academic transcript was received and uploaded to a database but was attached to the wrong member profile. The breach was discovered on August 3, 2020, when a member found the document attached to their member profile and reported the error to the Organization.
P2021-ND-159

NeuroTrition Inc.

On or about October 3, 2020, the Organization was informed that an account held with ?Mail Chimp? had been closed. The Organization learned that a former contractor had accessed the account without authorization, closed it without the Organization?s knowledge, and retained account information from Mail Chimp without the Organization?s knowledge or consent, on or about September 29 – October 3, 2020. The Organization reported that there is no evidence that the Organization?s membership information was …
P2021-ND-158

Grant Thornton LLP

On April 30, 2020, the Organization learned that an unauthorized individual accessed one of its employee?s email accounts. The unauthorized individual sent phishing emails from the account to others at the Organization and later gained access to eight other employee email accounts. The Organization reported that no other employee accounts were affected, nor were other parts of the Organization?s system or business. The Organization reported that it has no evidence that any information was accessed, …
P2021-ND-157

Home Depot of Canada Inc.

On October 27, 2020, the Organization experienced a system error that resulted in a number of Canadian customers receiving multiple emails for orders that they did not place. On October 28, 2020, the Organization?s IT support group discovered the issue and it was stopped within 45 minutes. The incident stemmed from a manual technology operation related to updates in certain system-generated emails. The operation in question was not successful, but it was caught through the …
P2021-ND-156

Saputo Dairy Products Canada G.P.

On May 12, 2020, a customer contacted an employee of the Organization to validate an email request the customer received from the employee regarding changes to a payment bank account. The employee confirmed no such request was made. The Organization investigated and determined that the employee?s email account had been compromised since May 1, 2020. An unauthorized email forwarding rule was automatically transferring emails to an external address. The employee?s password was most likely compromised …
P2021-ND-155

TVI Pacific Inc.

On January 6, 2020, the Organization discovered that its office, along with two (2) neighbouring offices, had been broken into. All filing cabinets and desk drawers were opened and various files were stolen, along with a hard drive used to back up a computer. The hard-drive was partially encrypted. Police recovered some files on January 29, 2020, along with documents and equipment stolen from several other offices. Several personal files containing credit card statements, RRSP …
P2021-ND-154

Parkland Corporation

On August 14, 2020, an employee received a phishing email and clicked on an infected link. As a result, attackers were able to encrypt files on multiple systems and download data from multiple devices. On November 14, 2020, a ransomware message appeared on the logon screen of multiple systems. Throughout the month of December 2020, the attackers uploaded the stolen data, approximately 1.3 TB worth, to a website on the Dark Web.
P2021-ND-153

Paskapoo Pet Services

The Organization used a third party software called “Precise Pet Care” to store and archive Services Agreements and client information associated with the provision of a variety of pet care services (pet sitting, pet boarding, dog walking, etc.). After a client’s account is created, the primary documentation and signatures are stored in pdf files within each client’s account for reference and recordkeeping. On July 14, 2020, a security researcher discovered a vulnerability within the system …
P2021-ND-152

IPC Investment Corporation

On April 9, 2020, an advisor sent an email communication with attachments requiring their clients? review and signature. On the same day, the advisor learned from the client that the email communication had not been received. The advisor checked their sent items and discovered the communication was sent to the wrong email account.
P2021-ND-151

College of Registered Dental Hygienists of Alberta

On March 9, 2021, the Organization sent an email to an applicant and included an email addressed to a different applicant in the body of the text. The incident occurred as a result of using a previously sent email as a template. The breach was discovered on March 16, 2021 when the recipient reported the error to the Organization.
P2021-ND-150

J.V. Driver Corporation Inc.

On March 17, 2021, the Organization learned it was the victim of a ransomware attack, although the initial access appears to have been on January 6, 2021. The source of the intrusion appears to be when an employee provided their domain credentials in response to a phishing email and approximately 8 hours later, the attacker accessed the network remotely using the compromised domain credentials of this employee. It does not appear the attacker engaged in …
P2021-ND-149

FabFitFun, Inc.

On August 7, 2020, the Organization discovered that an unauthorized third party had inserted malicious code on portions of its website that may have enabled them to capture certain information in connection with customer sign ups. The incident affected new member sign up pages of the website during the period between April 26, 2020 and May 14, 2020, and between May 22, 2020 and August 3, 2020.
P2021-ND-148

Driver’s Industrial Installations Ltd.

On January 7, 2021, an employee of a service provider to the Organization received a phishing email, prompting her to enter account credentials. On January 11, 2021, an unauthorized third party used the credentials to log into the employee’s email account, and send approximately 1,500 phishing emails. The employee notified the service provider?s IT team who took action to contain the breach. Also on January 11, 2021, emails began transmitting from the service provider’s email …
P2021-ND-147

The Canadian Kennel Club

On February 21, 2020, a copy of the Organization?s March 14 and 15, 2020 Board of Directors meeting agenda was inadvertently posted as a PDF file on its website. The file could be accessed by its membership, instead of the intended audience of the Board of Directors alone. The agenda included the application materials from individuals who wished to become committee members and was accessible on the website only if the PDF file was downloaded …
P2021-ND-146

Wealthbridge Financial Services Inc.

On May 15, 2020, an employee with the Organization emailed a draft document containing the personal information at issue to an unintended recipient. The employee mistyped the intended email address and accidentally sent the document to an incorrect email address. The document was not encrypted and the unintended recipient may have accessed the attached document containing the personal information of the client. The Organization confirmed the incorrect email address has a valid user ID (as …
P2021-ND-145

Driver’s Industrial Installations Ltd.

On April 8, 2021, the Organization learned that one of its service providers had been the victim of a sophisticated, illegal ransomware attack which resulted in hackers gaining access to employee files containing personal information. The source of the intrusion appears to be when an employee provided their domain credentials in response to a phishing email and approximately 8 hours later, the attacker used the credentials to access the network remotely. This initial access appears …
P2021-ND-144

Desjardins General Insurance Group

At the request of an acquaintance, an advisor with the Organization accessed and shared customer personal information via WhatsApp. The scheme was discovered in an internal investigation on seven (7) fraudulent accounts that were opened by the advisor. The Organization reported the incident occurred between January 22, 2019 and February 4, 2021. The breach was discovered on April 16, 2021.
P2021-ND-143

Empire Life Insurance Company

On February 25, 2020, when setting up a policy for a client, the Organization inadvertently coded the client?s address with a third party address. The error went unnoticed by the Organization. As a result, the client?s policy confirmation and tax document was mailed to the wrong address. On March 10, 2020, the Organization was contacted by the client’s Advisor who asked why the Organization had a different address on file. The Organization contacted the person …
P2021-ND-142

Sun Life Assurance Company of Canada

On March 26, 2020, in light of the COVID-19 situation and contrary to a client?s instructions, an employee of the Organization deposited redemption funds directly into the client?s bank account, instead of mailing a cheque. The account was previously jointly held between the client and his former spouse. As a result of the payment, the former spouse was made aware of the transaction. The client had not updated his banking information. On April 6, 2020, …
P2021-ND-141

The Canada Life Insurance Company

On January 6, 2020, an insurance contract is believed to have been sent from the Organization?s London, Ontario office. On April 30, 2020, the Organization discovered the loss of the contract when it was reported that the contract never arrived and has not been returned to the Organization undelivered.
P2021-ND-140

Canadian Forest Products Ltd.

An employee?s laptop bag and laptop were stolen in Edmonton, Alberta on or about March 1, 2020. The laptop?s local storage drive does not contain documents or files containing personal information. However, several months of emails are stored locally on the laptop. The Organization determined that some of the emails or their attachments contained personal information. On or about March 28, 2020, the software the Organization uses when a device connects to the internet, contacted …
P2021-ND-139

Sherwood Consulting Services, Inc.

On March 21, 2020, a psychologist with the Organization discovered her residential garage had been broken into and a briefcase and other items were missing from her vehicle. The brief case included paper client files. These have not been recovered to date. A computer that was stolen was protected with facial recognition software and encryption.
P2021-ND-138

Sedgwick Canada, Inc.

On July 31, 2020, the Organization detected that data on a limited number of servers within its network environment was subject to a cybersecurity incident. The Organization immediately launched an investigation and engaged a forensics firm to assist with its response. By August 2, 2020, the affected servers had been restored. On August 20, 2020, the investigation identified that personal information of a limited number of current and former employees had been acquired without authorization …
P2021-ND-137

Morneau Shepell Ltd.

Around January 30, 2020, the Organization discovered that multiple unauthorized emails were sent externally from the email account of an employee of the Organization. The Organization investigated and found that the email accounts of five (5) of its employees were compromised as a result of a phishing campaign giving the unknown attacker access to email stored between January 30 and February 4, 2020. The investigation found no evidence that personal information is being used inappropriately …
P2021-ND-136

MGM Resorts International

On or about July 10, 2019, the Organization became aware that on approximately July 7, 2019, an unauthorized third party gained access to an external cloud server (Amazon Web Services (AWS)) containing guest data. The Organization reported that, in early July, the unauthorized party obtained an employee?s credentials that had been compromised as a result of data breaches not associated with the Organization. The attacker used the compromised credentials to log in to a third …
P2021-ND-135

Park Paving Ltd.

On September 6, 2019, a file containing all hourly employee paystubs was emailed to one employee who had requested their own paystub. The breach was discovered the same day when the employee received the email and reported the error to their supervisor who ensured the file was deleted and reported to payroll. The Organization investigated and confirmed that the file was distributed to only one employees, and was viewed by two employees, (the original recipient …
P2021-ND-134

Mennonite Economic Development Associates of Canada o/a MEDA

The Organization uses Raiser?s Edge, a product owned by Blackbaud, to store donor data. On July 17, 2020, the Organization received confirmation from Blackbaud that it discovered and stopped a ransomware attack in May 2020. A copy of a backup file was stolen and Blackbaud paid a ransom to get it back. The production environment was not compromised. Blackbaud received assurances that the data was deleted, and assured the Organization that the information has not …
P2021-ND-133

Calgary Meals on Wheels

On September 10, 2020, a volunteer?s vehicle was broken into and four (4) invoices in sealed envelopes, were stolen. The incident was discovered on September 11, 2020, and reported to the Organization.
P2021-ND-132

Warner Music Group Corporation

On August 5, 2020, the Organization learned that an unauthorized third party had compromised a number of U.S.-based ecommerce websites that the Organization operates but that are hosted and supported by an external service provider Acquia, Inc. The unauthorized third party potentially acquired a copy of information customers entered on the affected websites after placing an item into their shopping carts. This could have impacted purchases made with credit cards through the affected websites between …
P2021-ND-131

J.V. Driver Corporation Inc.

On January 7, 2021, an employee of the Organization received a phishing email which contained a link to a malicious ?github.io? sub-domain, which hosted a fake Microsoft account login page. The employee entered their account credentials into this phishing page. On January 11, 2021, an unauthorized third party logged onto the employee’s email account, and started to transmit about 1,500 phishing emails from the employee’s email account. The employee notified the Organization?s IT team. The …
P2021-ND-130

Minto Multi-Residential Income Partners I, IP

On February 18, 2020, the Organization discovered that between February 15 and February 17, 2020, the Organization?s Applewood Village office was broken into. The Organization determined that a personal cheque from two (2) separate individuals, and rental application packages from six (6) separate individuals, were stolen. At the time of the incident, the office at Applewood Village was locked and security patrols were conducted through the apartment complex.
P2021-ND-129

Bombas LLC

In late January 2019, the Organization discovered that a malicious code had been uploaded onto its Shopify e-platform in order to scrape credit card numbers and other personal information. The Organization determined that the malicious code was operating between November 11, 2016 and February 16, 2017. The Organization?s investigation determined that an unauthorized third party may have compromised the credentials of an employee?s account in order to access the platform, and insert the malicious code. …
P2021-ND-128

Leede Jones Gable Inc.

On or about June 2, 2020, attackers gained unauthorized access to an employee?s email mailbox as a result of a phishing email that the employee responded to, providing credentials. While accessing the account, the perpetrators emailed four other employees, making a fraudulent plea for funds. The attack was unsuccessful and immediately aroused suspicion. The unauthorized access was terminated June 4, 2020. The Organization?s investigation confirmed access to five (5) emails within the compromised account, containing …
P2021-ND-127

Richardson Wealth Limited (formerly Richardson GMP Limited)

On June 1, 2020, a privacy breach occurred due to a successful phishing attempt where an employee clicked on a link in an email sent by a malicious party and entered their credentials. The malicious party accessed the employee’s email inbox. Evidence suggests that seven (7) emails were viewed, resulting in the disclosure of personal information of nine (9) clients, one (1) of which is a client at a Calgary branch.
P2021-ND-126

Francis Winspear Centre for Music

Blackbaud is a third party service provider to the Organization. The Organization uses Blackbaud?s financial management tools (Financial Edge) to manage invoicing data relating to vendors and service providers. According to Blackbaud, an intruder had access to some of Blackbaud?s systems from about February 7, 2020 to May 20, 2020 and was able to extract backup data relating to the Organization. The intruder obtained access through another Blackbaud customer?s account and then launched an attack.
P2021-ND-125

Edmonton Symphony Society

Blackbaud is a third party service provider to the Organization. The Organization uses Blackbaud?s financial management tools (Financial Edge) to manage invoicing data relating to vendors and service providers. According to Blackbaud, an intruder had access to some of Blackbaud?s systems from about February 7, 2020 to May 20, 2020 and was able to extract backup data relating to the Organization. The intruder obtained access through another Blackbaud customer?s account and then launched an attack.
P2021-ND-124

Relevant Radio

The Organization uses Blackbaud, a third-party cloud computing vendor, to provide customer relationship management and financial services tools. On July 16, 2020, Blackbaud informed the Organization that it had suffered a cyber incident which resulted in a potential unauthorized access to certain information maintained by Blackbaud between February 7, 2020 and May 20, 2020. Blackbaud paid the threat actors’ ransom demand in return for confirmation that all data removed by the threat actors had been …
P2021-ND-123

Savers, Inc.

On June 28, 2020, the Organization was the victim of a phishing attack that targeted one employee and the information contained in their email account. The incident was discovered on July 3, 2020 when the Organization noticed the employee?s email account was being used to send fraudulent emails, attempting to initiate a fraudulent money transfer.
P2021-ND-122

Rakuten Kobo Inc.

On June 17, 2021, the Organization was victim to a phishing attack when an employee opened a malicious email attachment. After the initial breach, the attackers installed additional tools to propagate their attack. The incident was discovered 68 days later on August 24, 2020 when abnormal CPU utilization was detected on a database server. For the following 5 days, the Organization analyzed the breach and eliminated the attackers? access, effective August 29, 2020. The Organization?s …
P2021-ND-121

Blue Buffalo Company, Ltd.

On August 31, 2020, an unauthorized party gained access to the Organization?s network via the exploitation of a vulnerability present on one of the Organization?s servers. After the initial breach, the unauthorized party deployed malware and network penetration tools, extending the attack to other systems and user accounts on the Organization?s network. The breach was discovered on September 1, 2020 when the Organization?s security team detected the attacker?s activities.
P2021-ND-120

Century 21 Department Stores LLC

The Organization learned of suspicious activity involving its website, c21stores.com. The Organization investigated and found unauthorized code. The Organization?s investigation found the code may have been present and capable of copying information entered by customers on the website between August 27, 2019 and October 10, 2019. The breach was discovered when the Organization was alerted by the third party that hosts its ecommerce platform.
P2021-ND-119

World Financial Group Canada Inc.

On October 10, 2019, a password protected laptop containing client information was stolen from a locked vehicle. The breach was discovered the same day when the vehicle owner discovered that the back window of her locked vehicle was shattered and items including the password protected laptop were missing.
P2021-ND-118

Mountain View Credit Union

On May 25, 2018, the Organization inadvertently mailed an annual post-review letter and a non-compliance letter to the wrong address. The breach was discovered on June 4, 2018, when the unintended recipient attended the branch to report the error and return the documents.
P2021-ND-117

Luxottica of America Inc.

On August 9, 2020, an automated attack was carried out against the Organization?s appointment scheduling application using an account that was created on August 5, 2020. The Organization investigated to determine the extent and nature of the incident and to confirm whether patient records had been accessed and/or acquired. On August 28, 2020, the Organization preliminarily concluded that the unauthorized person might have accessed and acquired individuals’ information from the appointment scheduling application.
P2021-ND-116

Lithion Power Group Ltd.

On June 25, 2019, an employee with the Organization was corresponding with a client who advised that they had made wire transfer payments to the Organization. The Organization did not receive any payments. On July 2, 2019, the Organization discovered that an employee’s email inbox had been breached by an unknown third party, and an email forwarding rule was enabled which forwarded all inbound emails to an unknown gmail account. The Organization also discovered that …
P2021-ND-115

Expedia

The Organization acquired Orbitz in 2015. Orbitz operates a travel booking platform. The Organization reported that ?While conducting an investigation of the platform, Orbitz determined on March 1, 2018 and informed us on April 12, 2018, that there was evidence suggesting that, between October 1, 2017 and December 22, 2017, an attacker may have accessed certain personal information stored on its consumer and business partner platform.
P2021-ND-114

2101314 Alberta Inc.

On March 7, 2020, the Organization sent an email to customers, notifying them of a sales promotion. The Organization inadvertently “cc’d” customer email addresses instead of blind copying them (“bcc”). As a result, recipients were able to see other customers? email addresses and would know they are customers of the Organization. The incident was discovered the same day when one of the recipients reported the error to the Organization.
P2021-ND-113

The Results Companies, LLC

On August 13, 2019, the Organization discovered unauthorized access to an employee email account when a fraudulent wire transfer involving the Organization?s corporate account was attempted. The Organization investigated and determined that an employee email account had been used to facilitate the attempted fraudulent wire transfer. In the process of obtaining information to facilitate the attempted fraudulent wire transfer, it appears that the malicious actor may have accessed personal information without authorization. The Organization reported …
P2021-ND-112

Worldwide Insurance Services, LLC

On March 20, 2019, the Organization was contacted by its card payment merchant acquirer, Worldpay, regarding irregularities experienced by customers after purchasing goods on the Organization’s website, www.reddragondarts.com. The Organization’s investigation at the time of reporting indicated that the website was compromised by malicious code that collected data from the payment page, sending it to a remote server under the attacker?s control. The Organization reported there were two windows of compromise: September 9, 2018 to …
P2021-ND-111

Canadian Crossroads International

On March 17, 2020, a third party to the Organization, TSX Trust Company, used an incorrect envelope format to mail tax forms. As a result, social insurance numbers were visible through the window of the envelope. The breach was discovered by investors who subsequently notified the Organization on or about March 22, 2020.
P2021-ND-110

Nodor International Limited (trading as Red Dragon Darts)

On March 7, 2020, the Organization found a hidden audio device behind a picture frame in the Organization’s staff room. The device recorded an ?in camera? board meeting, staff interviews, and private conversations of staff. The Organization reported that it does not know when the audio recording started. The Organization reported that it does not know whether this incident is connected to another incident of an unauthorized audio recording the Organization experienced earlier in the …
P2021-ND-109

Adventus Opportunity Fund

On July 16, 2020, the Organization received notice from its third-party service provider, Blackbaud, that it was the victim of a ransomware attack. Blackbaud informed the Organization that it discovered the attack on the same day it occurred on May 14, 2020, and that it prevented the bad actor from blocking system access and fully encrypting files. According to Blackbaud, a ransom was paid in return for the assurance the information would be destroyed and …
P2021-ND-108

Salta Gymnastics Club

On July 6, 2020, the Organization received a phishing email that appeared to be from its email and website provider. The email identified that the Organization’s credit card payment did not go through because the card may have changed or expired. The credit card had in fact recently expired. The email requested the Organization update its credit card information. The Organization provided the new credit card and login information but did not realize password information …
P2021-ND-107

Opportunity International Canada

On or about February 19, 2019, the Organization identified suspicious activity regarding its online payment processing platform. On or about March 4, 2019, the Organization’s investigation determined that customer credit and debit card information for certain transactions that occurred on the ecommerce website between February 10, 2019 and February 14, 2019, and on February 19, 2019, may have been subject to unauthorized access and/or acquisition.
P2021-ND-106

Tamarack Psychology

On January 7, 2019, an Investment Advisor with the Organization received an email from a client requesting copies of the client?s current investment portfolio statement and account balances. The Advisor responded the same day, but attached the wrong clients? Portfolio Evaluations in error. On January 14, 2019, the original client advised the Organization that she was a victim of fraud, where it appears that a fraudster hacked and used the email address to correspond with …
P2021-ND-105

CM Group Holdings, Inc. d/b/a Creative Memories

On March 1, 2019, the Organization learned of a mailing error that inadvertently sent the T5 slips of certain authors to the mailing address of other authors. The mailing occurred early in the week of February 25, 2019. The Organization has taken steps to recover the misdirected mail. One Alberta resident?s slip was successfully retrieved, but had been opened by the unintended recipient. The Organization has attempted to make contact with the other authors, but …
P2021-ND-104

Richardson GMP Ltd.

On or around March 31, 2019, a customer brought a computer to the Organization for repair and a data backup service. A sign in form was completed. The computer and form were sent to a service center; the computer was repaired and the data backup completed on a SSD card. The SSD card was subsequently lost and has not been recovered. The breach was discovered on April 2, 2019.
P2021-ND-103

Penguin Random House Canada

The Organization uses a third party provider to adjudicate and pay claims submitted by members under the Organization’s Extended Health Care Plan. In this case, an individual who was covered under their spouse?s plan submitted a receipt for psychological treatment. The receipt was forwarded to the third party for adjudication. When the claim was processed, a statement was mailed to the affected individual indicating there was no coverage for the service. However, the claim was …
P2021-ND-102

Best Buy Canada Ltd.

At the end of March 2019, the Organization was contacted by two subscribers (resident outside Alberta) reporting possible fraudulent credit card activity, shortly after the subscribers spoke with a customer service representative (CSR) employed by a third party service provider to the Organization. The Organization investigated, and found that a CSR had used a subscriber?s credit card information (which had been collected for legitimate purposes) for an unauthorized personal purpose. The Organization reviewed all available …
P2021-ND-101

Alberta School Employee Benefit Plan

On June 13, 2019, the Organization’s third party service provider, responsible for maintaining the ecommerce platform, noticed an unauthorized script. The Organization investigated and determined an unauthorized third party gained access to the ecommerce platform and placed a script allowing personal information to be collected as transactions were made on the site. The unauthorized third party was able to access the ecommerce platform remotely by using the username and password of an employee of the …
P2021-ND-100

The Globe and Mail Inc.

On or about August 31, 2019, an unauthorized intruder accessed a computer server that contained information about individuals who participated in online contests conducted in Canada. The Organization investigated and determined that the attacker gained access to a server by exploiting credentials.
P2021-ND-099

Ivanhoe Cambridge

As a result of a successful phishing attack, an intruder was able to obtain the credentials for an email account assigned to an employee of a service provider to the Organization and gain access to certain emails. The incident occurred on May 20, 2019 and was discovered on May 28, 2019 when the employee who was the subject of the successful email phishing attempt reported the incident.
P2021-ND-098

NBA Media Ventures, LLC

On January 29, 2019, a Statement of Benefits Paid was lost while being transported from a home office to the Organization’s office. The breach was discovered the same day when the document could not be located.
P2021-ND-097

SMART Local Unions and Councils Pension Fund (Canada)

A bag was left in an employee?s car overnight on February 6, 2021. The bag contained a list of staff members, their FTE, and investigation notes from conversations with 4 employees. The breach was noticed the same day. The documents have not been recovered.
P2021-ND-096

Carscallen LLP

Western Safety Products (WSP) is a division of the Organization and is a Seattle, Washington based distributor of safety equipment to businesses. WSP had a web-based e-commerce site which was hosted by a third party. The website was closed in February 2018; however, unauthorized parties appear to have gained access and re-activated the site on September 19, 2018. It appears the administrative portal used by the third party hosting the site was compromised, and as …
P2021-ND-095

AgeCare Seton

On September 25, 2019, a Google Drive document was shared with the wrong email address. The names were similar, and the wrong name was selected. The incident was discovered the same day when the unintended recipient reported the error.
P2021-ND-094

Bunzl North America

On or about December 11, 2018 the Organization received notice of a vulnerability in its firewall that made a server accessible. On or about April 15, 2019, as the result of a thorough review of the potentially impacted contents of the server, the investigation confirmed the population of potentially impacted individuals.
P2021-ND-093

Laura Gilligan, Occupational Therapist

On May 22, 2019, the Organization’sent an email to some of its members and inadvertently attached a document containing the information at issue of other members. The email was received by 63 members and included the personal information of 1,232 individuals. The breach was discovered the same day, when one of the recipients reported the error to the Organization.
P2021-ND-092

Oklahoma Department of Securities

The Organization uses a third party, Glentel Inc., to operate its website. Glentel advised the Organization that, on November 29, 2018, an employee’s email account was compromised following a successful phishing attempt. As a result, the intruder was able to view personal information related to purchases made on the website. Glentel advised the incident was contained the same day that it occurred.
P2021-ND-091

Gray Monk Estate Winery

On October 16, 2019, a staff member?s laptop was stolen from their vehicle. The laptop was password protected. On October 23, 2019 a backup copy of the computer was reviewed, revealing there was personal information stored on the laptop. The laptop has not been recovered.
P2021-ND-090

Samsung Electronics Canada Inc.

Malware (Emotet) was discovered on an end user laptop. The Organization reported the breach occurred on August 26, 2019 and was discovered August 28, 2019 when data communications from the end user laptop matching known Emotet control characteristics were detected by a cybersecurity system. This system alerted the Organization’s Canada Cybersecurity Specialist to the detection.
P2021-ND-089

AUPE

On December 17, 2018, an employee of the Organization posted files containing royalty statements to certain members’ online accounts. The breach was discovered on December 19 when a member downloaded statements from his account that included statements relating to other members.
P2021-ND-088

PetroChina Canada Ltd.

The Organization was contacted by a security researcher from a reputable security research firm under “responsible security disclosure” principles about a data file the researcher had obtained. The file was provided to the Organization on December 18, 2018 in a password-protected form and appeared to contain a Organization user table. The Organization was able to confirm its authenticity on December 19, 2018. The Organization reported its investigation is ongoing.
P2021-ND-087

Society of Composers, Authors and Music Publishers of Canada (SOCAN)

Two employees stored documentation intended for shredding in bins that were marked “for shredding” which were mistaken for recycling by the building custodian. On January 29, 2019, the building custodian disposed of the documentation in the building’s outside recycling bin, which is not secured. Each bin contained approximately 20-30 pages. The contents of the documentation was not inventoried but is believed to be draft correspondence that may have included personally identifying Information. The breach was …
P2021-ND-086

Houzz Inc.

On November 29, 2018 an employee in the Organization’s head office in Burnaby, British Columbia received a fraudulent email from an unknown third party. The email appeared to be from the Organization’s Chief Executive Officer and attached a link to a fraudulent website. The email deceived the employee into disclosing the employee’s credentials for their work email account. The unknown third party then used the employee’s credentials to access the employee’s work email account and …
P2021-ND-085

College and Association of Registered Nurses of Alberta

In January 2019, the Organization determined that its Canadian consumer-facing website, https://mcmbcrs.transunion.ca had been the target of a “credential stuffing” attack. The Organization investigated and, in February 2019, found that failed login attempts could be traced back to credential stuffing by an unknown and unauthorized third party. The Organization reported the attacker appears to have directed a cache of valid and invalid credentials at its systems for the purposes of identifying which credentials worked and …
P2021-ND-084

Glentel Inc.

During the week of December 2 – 6, 2019, an employee of the Organization received an email that appeared to be from the Organization’s Senior Vice President and Chief Financial Officer requesting accounts receivable information, along with customer contact information. The employee responded by email on December 6, 2019 attaching the requested information. Unfortunately, the email had been sent by an unknown and unauthorized third party. The incident was discovered on December 9 when customers …
P2021-ND-083

Trans Union Consumer Interactive, Inc.

On August 28, 2019, a human resource employee inadvertently copied a distribution group of 134 employees on an email to a manager with respect to a termination that was scheduled to occur the following day. The breach was discovered by the intended recipient on the same day.
P2021-ND-082

Yellow Pages Digital & Media Solutions Limited

On July 21, 2019, an employee of the Organization was on a plane from Fort Worth to Houston, TX. The employee had a company laptop and was using it during the flight. Sometime after departing the plane after arrival, the employee noticed that the laptop was not in their carry-on luggage. The Organization assumes the laptop was left on the plane. The laptop was password protected (with a strong password) but not encrypted. The employee …
P2021-ND-081

Inter Pipeline Ltd.

On March 12, 2019, an employee with the Organization inadvertently enclosed a copy of an individual?s application for insurance in a letter to another client of the Organization. On March 20, 2019, the unintended recipient telephoned the Organization to report the error.
P2021-ND-080

Mother Parker?s Tea & Coffee Inc.

On February 25, 2019, a third party contractor notified the Organization that a data breach had occurred which consisted of unauthorized access to personal information. The contractor determined that an individual downloaded certain data from the contractor which included the Organization’s employee information.
P2021-ND-079

CDSPI

The Organization is a specialized Chartered Accountancy practice and provides tax consulting services to various clients. On February 22, 2019, the Organization was notified that one of is independent contractors had received a text message from an unidentified individual stating that the individual had gained access to and downloaded the Organization’s client data. The Organization took precautionary steps and changed all passwords for its remote access capabilities and locked down its servers. On February 25, …
P2021-ND-078

Geo Logic Systems Ltd.

In May 2020, the Organization’s third party vendor, Blackbaud, advised the Organization of a data security incident involving a ransomware attack on its systems, including its Raiser?s Edge software product used by the Organization. Blackbaud reported that it was able to successfully prevent the cybercriminal from blocking its system access and fully encrypting files, and ultimately expelled them from its system. However, prior to locking the cybercriminal out, the cybercriminal removed a copy of a …
P2021-ND-077

TGSI Canada Corp.

On December 2, 2019, the Organization received complaints from consumers about its checkout process. The Organization investigated and discovered that malicious code had been added to its ecommerce site (site) earlier the same day. The malicious code directed users to a spoofed webpage where they were asked to enter their payment card details in order to complete their purchases. Users who completed the payment card details page were then directed to the real webpage, where …
P2021-ND-076

Saybrook University

On July 14, 2020, a member of the public found personnel files in a grocery cart and contacted the Office of the Information and Privacy Commissioner (OIPC). The Organization reported that a ?Restaurant closure lead [sic] to employee files from old ownership not being discarded properly due to COVID-19 restrictions and miscommunication during permanent restaurant closure.? The Organization discovered the breach on September 21, 2020 when notified by the OIPC.
P2021-ND-075

Rooster Teeth Productions, LLC

On April 20, 2020, an ?Order Alert? email was sent to customers of the Organization. The purpose of the email was to inform recipients they had been mistakenly charged twice for online purchases. The Organization inadvertently entered email addresses in the ?cc? line, rather than the ?bcc? line. The incident was discovered on April 22, 2020.
P2021-ND-074

TH 17Th Ltd.

On September 1, 2020, the Organization was subject to a cyberattack, resulting in the exfiltration of records and the unauthorized encryption of some organizational infrastructure. The incident was discovered the same day, September 1, 2020; however, data exfiltration was confirmed 8 days later on September 9, 2020 after records were discovered on the dark web.
P2021-ND-073

Keurig Canada Inc.

On November 3, 2020, the Organization’s service provider, Kitewheel LLC., was subject to a ransomware cyberattack. The threat actor accessed and exfiltrated personal information and demanded a ransom payment. While the data were stored in an encrypted database, it is reported that the threat actor obtained access credentials and was able to de-crypt the records for extraction. The Organization was notified of the breach on November 3, 2020, and was further notified on November 13, …
P2021-ND-072

Windward Software Systems Inc.

On March 9, 2020, the Organization became aware of suspicious activity related to its email system. The Organization investigated and determined that there was unauthorized access to certain email accounts between ?December 19, 2010 and March 3, 2020?. The Organization reviewed the affected accounts and on June 25, 2020, determined that the email accounts contained some information related to individuals.
P2021-ND-071

Direct Energy Marketing Limited

On November 30, 2020, a laptop in the USA belonging to the Organization was hacked. The Organization reported malware was most likely introduced through a phishing attack that spread through its global network. The Organization’said its Active Directory may have been compromised and all Windows users across countries are affected. The Organization reported that the breach ended on December 4, 2020.
P2021-ND-070

POWER Engineers, Inc.

The Organization inadvertently mailed a client?s Disability Agreement letter to the wrong client. The breach was discovered on February 13, 2020 when the unintended recipient reported it to the Organization.
P2021-ND-069

Dormakaba International Holding GmbH

On November 30, 2020, a laptop in the USA belonging to the Organization was hacked. The Organization reported malware was most likely introduced through a phishing attack that spread through its global network. The Organization said its Active Directory may have been compromised and all Windows users across countries are affected. The Organization reported that the breach ended on December 4, 2020.
P2021-ND-068

Sun Life Financial

On November 7, 2020, an unknown individual entered the Organization’s premises and tampered with the drawer lock. The individual stole multiple documents and electronic devices. The theft was discovered later the same day when an Associate noticed damages to the drawer which had been locked.
P2021-ND-067

Boardwalk Rental Communities

On February 11, 2020, a void cheque belonging to one customer was emailed to another customer in error. The incident was discovered and reported to the department manager on the same day.
P2021-ND-066

Rifco National Auto Finance

On January 10, 2017, an email was sent to the Organization’s IT Manager claiming to be from the Organization’s Human Resource Manager. On January 12, 2017, the hackers sent a bogus email containing instructions about a ?new password? to employees of the Organization. One employee acted on the instructions, which led to the compromise. The incident was discovered on January 17, 2017 when the hackers sent screenshots of human resource documents and the Organization’s payroll …
P2021-ND-065

Grey Eagle Casino

On May 19, 2019, the Organization experienced a ransomware attack that encrypted the Organization’s systems. The Organization’s IT reported that an email was sent May 14, 2019 which activated a virus. The breach was discovered on May 21, 2019. The Organization was able to recover its data and, although it is unaware of any evidence to suggest that its data was accessed or exfiltrated, it was not able to conclusively determine the issue.
P2021-ND-064

Rocky Mountain House Society dba Rocky Mountain Support Services Society

On September 17, 2019, malicious actor(s) used valid credentials obtained from prior breaches unrelated to the Organization to access the some customer accounts. The incident was a remote cyber attack against a cloud based authentication service. Using Application Programming Interface (API) calls, the attackers used the previously exposed email address and password to log in, change the password, and then change the email address on file to an invalid email address. The breach was discovered …
P2021-ND-063

Aeroplan Inc.

On January 16, 2020, an employee with the Organization inadvertently switch two claims cheques and the cheques were stuffed into the other plan members? envelope. On January 22, 2020, the Organization received a telephone call from one plan member?s spouse stating that they received the wrong claim cheque inside their envelope. The Organization immediately contacted the other plan member and asked them to return the original document to the Organization.
P2021-ND-062

Employee Benefit Funds Administration Ltd.

In January 2019, documents including the information at issue were circulated to the Organization’s members through email and posted on its secure website. The incident was discovered on July 24, 2019 when one of the individuals notified the Organization that the information had been included in the documents. The Organization removed the information from the website and confirmed the emails that included the information at issue were deleted.
P2021-ND-061

Natural Gas Employees’ Association

On or around March 26, 2020, an employee of the Organization was notified by a third party about a suspicious email sent from the employee?s email account. The employee reported the suspicious activity to the Organization’s IT department. The Organization and a third party cybersecurity firm investigated the incident. The Organization believes that: (a) the employee?s email account was accessed by an unauthorized third party; (b) the period of potential unauthorized access to the employee?s …
P2021-ND-060

GroupHEALTH Family of Companies

On November 23, 2020, the Organization discovered its office was broken into and entered by an unknown thief. In order to preserve evidence nothing was touched around the desk area until November 24, 2020, at which time it was discovered that some session notes were missing.
P2021-ND-059

Marchand Psychological Services

On or around September 19, 2019, the Organization’s IT staff discovered that unauthorized spam messages containing malicious links that harvested credentials had been sent from the email account of one (1) of its employees. The incident took place between September 17, 2019 and September 19, 2019. The Organization took immediate steps to secure the affected account, engaged external legal counsel and a third-party cybersecurity firm to investigate the incident. The Organization’s investigation confirmed that a …
P2021-ND-058

PPI Management Inc.

Between June 25, 2019 and July 31, 2019, an employee of the Organization accessed and used personal information of a number of group retirement savings participants (only one resides in Alberta) for fraudulent transactions. The breach was discovered on July 29, 2019, when an irregular online transaction was blocked and reported. The Organization investigated, which led to the employee in question.
P2021-ND-057

Desjardins Financial Security

On June 14, 2019, the Organization learned from police that one of its employees exfiltrated client personal information over the course of at least 26 months. Police found files containing the personal information of 9.7 million active and inactive files of individuals during a police search in a fraud and identity theft case. As part of the employee?s responsibilities, the employee had access to personal information of banking members as well as credit cardholders and …
P2021-ND-056

Desjardins Group

The Organization reported ?(Likely) a phishing attack that enabled a 3rd party access to set up an email forwarding rule.? The incident occurred between June 16, 2020 and July 8, 2020. The incident was discovered by a vendor on July 8, 2020. The Organization’stopped the forwarding of email immediately. On July 14, 2020, the Organization also disabled the ability to forward email from any email Spud.ca account. The Organization reported that approximately 150 emails were …
P2021-ND-055

Sustainable Produce Urban Delivery, Inc.

On August 29, 2019, a staff member of the Organization went to pick up meals and discovered the meal bag wasn?t in the location it was left at. Six (6) meals were stolen and had clients? name and address with them.
P2021-ND-054

Calgary Meals on Wheels

On September 1, 2019, the information at issue was mistakenly published on the Organization’s website as the profile photo for a dog. The same day, two members of the public notified the Organization about the error. The personal information was displayed for about an hour and 20 minutes before it was taken down by the Organization.
P2021-ND-053

Edmonton Humane Society

The Organization retains a third party service provider, TSGI Corporation (TSGI), to process and analyze tax credits. TSGI advised the Organization that a (now) former employee of TSGI improperly accessed and collected data, some of which contained confidential information about the Organization’s current and former employees. The breach occurred between January 28, 2019 and February 20, 2019. The Organization understands the breach was discovered by TSGI on or about February 25, 2019. The Organization had …
P2021-ND-052

AppCarouselDirect Inc.

The Organization operates a portal that enables businesses to access consumer credit files for the purposes of assisting them in adjudicating credit applications. On August 19, 2019, the Organization determined that the user credentials for one of its corporate customers had been compromised. The corporate customer confirmed to the Organization that its credentials were used without authorization to access consumer credit files. As a result, an unidentified intruder was able to provide sufficiently detailed and …
P2021-ND-051

Trans Union of Canada Inc.

On February 26, 2019, a service provider advised the Organization that a former employee of the service provider improperly accessed and collected some of the service provider?s data and uploaded it onto a remote server. On March 15, 2019, the service provider advised the Organization that personal information of the Organization’s current and former employees and related individuals was amongst the client data that was stolen from its computer network. The service provider determined that …
P2021-ND-050

Canbriam Energy Inc.

LFconnect is a fitness app available from the Organization that tracks workout data. Data from the app?s crash reports were stored on a Google database. On April 24, 2018, the Organization received an email from a third party security firm advising that it had discovered a firebase database that contained crash reports for the LFconnect mobile application. The crash reports were for data between April 2016 and May 2017. The Organization reported that it has …
P2021-ND-049

Life Fitness, a division of Brunswick Corporation

On November 9, 2018, the Organization’s WordPress site was hacked. The breach was discovered on November 12, 2018 by staff attempting to access the website who were redirected to a malicious ad-rich site. The unauthorized users granted themselves administration accounts on November 10, 13 and 15, 2018. As such, they would have been able to see the personal information of individuals who paid for continuing education courses or employment ad space, and those who filled …
P2021-ND-048

Alberta College and Association of Opticians

On May 14, 2020, an employee of the Organization detected a possible phishing attack and investigated. The Organization discovered that an employee?s smartphone SIM card had been ported to a new carrier by unknown external actor(s) who used the SIM to access the employee?s Google account, and then the Organization’s systems through Google?s single sign-on interface, and to download a database of customer information. The accounts of at least 11 customers were accessed and the …
P2021-ND-047

BlockFi, Inc.

On April 3, 2020, an employee was conversing by email with a customer but inadvertently used the ongoing email thread in an email to a different customer. The employee who made the error reported it to a supervisor. The customer who received the information in error was contacted and agreed to delete the email. The breach was discovered on April 4, 2020.
P2021-ND-046

Rifco National Auto Finance

Sometime in March/April 2020, the Organization’s storage locker was broken into. The incident was discovered on August 28, 2020 when police notified the Organization that employee files had been discovered during an operation on June 19, 2020. When the Organization went to the storage locker, it discovered a box of employee files was missing. On September 16, 2020, the Calgary Police Service returned the box of files to the Organization.
P2021-ND-045

RedBloom Salons

On July 16, 2020, the Organization was notified of a security incident by Blackbaud, a third-party provider of cloud computing services for educational institutions and other not-for-profit organizations. The Organization uses Blackbaud?s customer relationship management (CRM) platform to support its data for alum, parents, students and broader community. Blackbaud informed the Organization that its database backup had been affected by a security incident, which began in February 2020, but that they discovered in May 2020. …
P2021-ND-044

The Country Day School

On November 5, 2020, an unauthorized third party gained access to the Organization’s business servers located in St Louis (USA). On November 12, 2020, the Organization’s IT team noticed anomalies and investigated. On November 13, 2020, the Organization found suspicious software running on an internal system. The system was also seen to be generating outbound traffic to an unknown IP address. The Organization reported that human resource related identity information might have been targeted and …
P2021-ND-043

Belden Canada ULC

On December 5, 2020, the Organization’suffered a ransomware attack on its computer network. A high percentage of the Organization’s information technology infrastructure was infected, with several servers and endpoints encrypted. A malicious external actor committed the cybersecurity breach. The Organization reported that it did not find any evidence of misuse of personal employee information; however, it did find evidence that personal employee information was exfiltrated from its network and posted to the threat actor?s data …
P2021-ND-042

CDN Controls Ltd.

On May 28, 2020, the Organization discovered that unauthorized script was placed on the checkout page of its website. The script potentially allowed for the capture of information submitted by customers if the customer was using the credit card payment function and the ?place your order? button was selected. The Organization reported that the unauthorized script was likely placed on its website on or about May 10, 2020.
P2021-ND-041

Kroto Inc., dba iCanvas

On or about July 1, 2020, an email phishing attack was carried out against a former employee who was working for the Organization in a consulting capacity. As a result of the attack, a threat actor gained unauthorized access to the Organization’s network(s). On or about July 31, 2020, the threat actor gained access to the Organization’s servers and domain controller. The incident was discovered on August 9, 2020 when IT staff found malicious text …
P2021-ND-040

Brookfield Residential Properties Inc.

On January 27, 2020, insurance policy contracts were placed into incorrect courier packages. Subsequently, the documents were delivered to unintended recipients.The breach was discovered 10 days later on February 6, 2020 when the intended recipients contacted the Organization asking where the contracts were. The Organization is unable to confirm if the documents have been returned or destroyed.
P2021-ND-039

ivari

On June 11, 2020, the Organization was contacted by a security researcher who claimed the Organization’s e-commerce site had been compromised. The Organization investigated and identified and removed unauthorized code form its ecommerce site on Friday, June 12, 2020. The code was capable of obtaining information entered by customers during the online checkout process and sending it out of the Organization’s system. Purchases made in Organization’s retail store locations were not involved. The Organization reported …
P2021-ND-038

Claire?s Store Inc.

The Organization was switching its in-house accounting/bookkeeping products and needed to migrate data to the new platform. The Organization engaged an individual to provide technical support, believing the individual was associated with the accounting software company. The individual was granted remote computer access and uploaded an accounting file containing the information at issue. The individual was also given the account number for the online bookkeeping account, but was not given the password. Immediately after the …
P2021-ND-037

Leduc Mechanical Industries Inc.

On February 28, 2020, an insurance advisor?s vehicle was broken into. A briefcase containing two laptops and client paper files was stolen. The incident was discovered and reported to local police authorities on the same day. It is reported that one of the laptops was not password protected, and neither device was confirmed to be encrypted.
P2021-ND-036

ivari

The Organization participates in a joint venture with another organization, MegaSys Enterprises Ltd. (MegaSys), that is responsible for the integrity of the computer network. On May 11, 2020, ransomware encryption was triggered and the perpetrator indicated that personal files have been downloaded although the Organization cannot confirm this. All of the Organization’s Windows based PCs connected to the domain server were attacked by the ransomware. The breach was discovered initially by an external customer who …
P2021-ND-035

Worth Ventures Ltd.

On or around May 31, 2019, a customer brought a computer to the Organization’s Grand Prairie store to be sent to the manufacturer for repair. The Computer was repaired and returned to the store by courier on or around June 12, 2019; however, it was lost while in transit. The breach was discovered on July 24, 2019.
P2021-ND-034

Best Buy Canada Ltd.

On March 6, 2020, a case containing a laptop and paper records was stolen during a vehicle break-in. Law enforcement was notified on the same day. The following day, some the paper records were found nearby and recovered.
P2021-ND-033

Michael Neeland

On December 12, 2020, one of the Organization’s staff members was the victim of a carjacking. At the time, the staff member was transporting documents and a non-encrypted USB drive to the Organization’s office. No personal information was stored on the USB device. On January 13, 2021, the vehicle was found in Kelowna B.C.; however, the vehicle?s contents were not recovered.
P2021-ND-032

Southgate Medallion Family Day Homes Ltd.

On June 15, 2020, the Organization couriered a contract to an advisor?s home address for subsequent delivery to a client. The courier buzzed to get in to the advisor?s building and an individual gave the courier access, saying they would provide the package to the advisor; however, this did not happen. On June 23, 2020, the advisor reported to the Organization that she had not received the package. An investigation was conducted; however, all efforts …
P2021-ND-031

Raymond James Financial Planning Ltd.

On or around September 13/14, 2020, an emergency bag containing first-aid and emergency supplies, as well as the emergency information cards of 11 children in care, was stolen from an employee?s vehicle. The breach was first discovered by the employee on September 14, 2020. The employee reported the incident to the Organization on September 15, 2020.
P2021-ND-030

Young Men?s Christian Association of Edmonton (YMCA of Northern Alberta)

On August 12, 2019, an Excel spreadsheet containing certain personal information was inadvertently emailed to the Organization’s internal sales representatives distribution list. The list included mainly internal Organization email addresses; however, there were some external email addresses (for individuals within the Organization’s sales network). The breach was discovered on August 13, 2019 by the employee who sent the email. On August 13, 2019, an email was sent to those on the original distribution list advising …
P2021-ND-029

DIRTT Environmental Solutions Ltd.

On December 30, 2020, the Organization was the victim of a phishing attack when a staff member opened an email attachment that contained malware. The breach was discovered on January 4, 2021 when unusual emails were detected by the Organization’s email filtering system. The Organization investigated and found that the perpetrators could have gained access to personal information.
P2021-ND-028

Herbers Autobody Repair Inc.

On October 1, 2019, the Organization discovered that a staff member?s email account was compromised and messages received by this email account had been forwarded externally. The Organization’said that only incoming emails were affected by the email-forwarding rule. The breach occurred on or about September 17, 2019 to October 29, 2019. The Organization reported that the documents involved did not include completed mortgage documentation and the information involved is publicly available through the land titles …
P2021-ND-027

Barr Picard Law

On March 27, 2020, the Organization learned that its computer system was impacted by a ransomware event that encrypted certain files. Some files were copied from the system in connection with the attack. On or about June 10, 2020, the Organization determined that a limited number of documents that may have been copied contained some personal information. The Organization reviewed the contents of all files that may have been acquired. As the Organization could not …
P2021-ND-026

Frederick W. Howarth III d/b/a TBG West Insurance Services

On or about May 27, 2020, the Organization began investigating a report from a customer of an unusual payment card charge. The investigation determined that the Organization was the victim of a sophisticated cyberattack that may have resulted in a compromise to some of its customers? credit and debit cards used to make purchases on its website, www.yogafit.com, between April 11, 2020 and May 27, 2020.
P2021-ND-025

YogaFit Training Systems Worldwide, Inc.

The Organization maintains an online store (www.apwa.net/store/), through which members can pay dues, purchase merchandise and educational resources, and register for events. On or about May 8, 2020, the Organization was notified about a potential scripting issue within the software that supports its cloud-based association management software. On or about May 15, 2020, the Organization was notified that the issue was a vulnerability that presented a security risk because it could facilitate a ?man in …
P2021-ND-024

American Public Works Association

On June 12, 2020, the Organization became aware it was the victim of a cybersecurity attack. An unauthorized third party deployed ransomware in an attempt to encrypt the Organization’s technology infrastructure. Some of the Organization’s employees experienced complications with email, however, there were no interruptions to its business operations. On July 1, 2020, the Organization discovered that the unauthorized third party had in fact gained access to and exfiltrated the personal information of employees and …
P2021-ND-023

Pivot Technology Solutions Inc.

On June 25, 2020, the Organization discovered that between August 31, 2019 and November 10, 2019, an unauthorized person accessed certain of the Organization’s employees? email accounts at various times. The Organization was not able to determine which emails and attachments, if any, were accessed by the unauthorized person, but conducted a comprehensive review of the contents of the email accounts. To date, the Organization has no evidence of any misuse of the information as …
P2021-ND-022

Mitten Building Products

The Organization uses a third party provider?s customer relationship management (CRM) platform to support its data for alumni, parents, students and the broader community. On July 16, 2020, the third party provider (Blackbaud) informed the Organization that its database backup had been affected by a ransomware incident, which began in February 2020, but was discovered in May 2020. According to Blackbaud, after discovering the attack, it successfully prevented the cybercriminal from blocking system access and …
P2021-ND-021

Branksome Hall

In the early morning of September 26, 2019, the Organization’s offices were broken into. The perpetrator(s) went through numerous filing cabinets and desks, including paperwork with credit card information; however, no paperwork was missing. The motion sensor alarm was triggered and the police, the security company, and the facility Maintenance Manager, who had discovered the unauthorized person on camera, attended the facility and saw papers disturbed and strewn about the floor.
P2021-ND-020

Edmonton Soccer Association Facilities

The Organization learned that an unauthorized individual gained access to personal information in certain of its online accounts from approximately April 28, 2020 to May 13, 2020. The Organization believes that the individual capitalized on a breach of another company?s system where the customer may have used the same login information.
P2021-ND-019

Victoria?s Secret Store Brand Management, LLC

The Organization has a job profile builder that members can used to create a job profile. Between June 2018 and June 2019, job seekers could either request that a PDF of their job profile be sent by email to themselves or to a potential employer. This is done using a link sent to the job seeker or the potential employer from which a PDF can be downloaded. During the process for sending the email, the …
P2021-ND-018

Christian Labour Association of Canada

On September 5, 2019, the Organization discovered a former employee?s email account had been accessed without authorization. The breach was discovered when an employee from Scotiabank (Edson Branch) brought over paperwork to be signed, authorizing the transfer of funds to an unknown account to pay an overdue invoice. The bank had received the request to transfer the funds from the former employee?s email account with the Organization.
P2021-ND-017

Edson Medical Centre

The Organization provides salary compensation information to its service provider, Korn Ferry, on an annual basis. On June 26, 2020, Korn Ferry learned, through a blog post by a security researcher, that an Amazon Web Services S3 Server (AWS S3 Server) contained data submitted to Korn Ferry by the Organization related to 2018 salaries. The data was inadvertently made publicly available on the AWS S3 Server on July 24, 2019 and was removed on June …
P2021-ND-016

JTI-Macdonald Corporation

In June 28, 2019, an administrative error caused an investment update document to be inadvertently mailed to out of date addresses. The addresses were former employment addresses for now retired clients. The breach was discovered on July 2, 2019 when an unintended recipient reported opening and subsequently shredding the mailing.
P2021-ND-015

Richardson GMP Ltd.

On August 22, 2019, the Organization’s Board meeting was audiotaped, including the ?in camera? session where two employees? employment status (disciplinary review, medical leave) were discussed in detail. On September 10, 2019, an anonymous email was sent to twenty-plus (20+) club members (parents) containing extensive verbatim quotes made by Board Members at the August 22, 2019 meeting. The Organization reported that it is not clear who was involved and the exact details of the creation …
P2021-ND-014

Salta Gymnastics Club

On September 23, 2019, the Organization’sent reminder notices on overdue continuing professional development submissions. The full list of member names, emails and member IDs of the 77 members receiving the notice were inadvertently included in the email. The breach was discovered the same day.
P2021-ND-013

Association of Professional Engineers and Geoscientists of Alberta

On July 15, 2019, the Organization mailed Financial Investment renewal notices to 2,118 members. Page 1 of the notice was addressed to and received by the correct individual; however, page 2 of the notice contained investment information for another member. The incident resulted from an error on the part of a third party vendor used by the Organization for printing and mailing. The error was discovered on July 18, 2019 when a member contacted the …
P2021-ND-012

Connect First Credit Union Ltd.

On July 15, 2019, the Organization mailed Financial Investment renewal notices to 2,118 members. Page 1 of the notice was addressed to and received by the correct individual; however, page 2 of the notice contained investment information for another member. The incident resulted from an error on the part of a third party vendor used by the Organization for printing and mailing. The error was discovered on July 18, 2019 when a member contacted the …
P2021-ND-011

Olymel LLP

On September 19, 2020, a criminal organization attempted to access the Organization?s systems. The Organization became aware of the attack on or about October 5, 2020, when certain systems started to encrypt, affecting the Organization?s operations. On October 16, 2020, the Organization paid a ransom and in return received delete logs, which provide evidence that all exfiltrated files (including all files containing personal information) have been securely deleted.
P2021-ND-010

Best Buy Canada Ltd.

On or around January 27, 2020, one of the Organization’s Geek Squad Agents filled out a site survey form at a customer?s home to summarize the service performed and to provide additional information about the site conditions. The booklet containing the form was subsequently misplaced.
P2021-ND-009

Aurora Cannabis Enterprises Inc.

Between December 24 and December 26, 2020, the Organization was subject to a cyberattack involving unauthorized access to their SharePoint environment. The incident was discovered on December 25, 2020, when the threat actor contacted the Organization, claiming to have hacked into the Organization’s system. Upon investigating, the Organization found that the incident resulted from use of credentials that a third party service provider included in an email. The Organization uses a third party service provider …
P2021-ND-008

Servus Credit Union Ltd.

An error in the printing and folding of tax receipts resulted in social insurance numbers being visible in the address window of mail sent to individuals on February 10, 2020. The Organization was notified by a recipient on February 16, 2020. On February 19, 2021, the Organization determined that 262 notification letters were not delivered as expected in February or March of 2020. It was indicated that the error was due to miscommunication and remote …
P2021-ND-007

ATB Financial

On February 6, 2020, an employee?s backpack was stolen as the result of a vehicle break-in. The backpack contained an encrypted laptop, tablet, and paper documents. The breach was discovered the same day. At the time of the incident, the laptop was powered on and locked; the tablet was powered off. Access to the Organization’s resources was revoked the same day for both devices. On February 12, 2020, the backpack was returned to the employee?s …
P2021-ND-006

Don Wheaton Chevrolet GMC Buick Cadillac Ltd.

On December 23, 2020, the Organization’s service desk received and opened an email that activated malware. A single computer and single email address were infected. On December 28, 2020, unusual activity in the email account led to it an investigation by IT and cyber security personnel. The virus was discovered and removed immediately. The effect of the virus was not apparent at that time. On January 5, 2021, a customer (insurance company) reported receiving two …
P2021-ND-005

Ridley College School

The Organization uses a third-party service provider, Blackbaud, who provides a CRM platform to manage information related to donors, students and alumni. On July 16, 2020, the Organization was advised by Blackbaud that cybercriminals accessed their system by using the credentials of a customer who was using Blackbaud?s self-hosted environment, and attempted a ransomware attack. The cybercriminal was able to bypass standard anti-virus controls, before detection. Blackbaud says that it successfully prevented the cybercriminal from …
P2021-ND-004

London Life Insurance Company

On June 25, 2019, an insurance contract containing client personal information was sent from the Organization’s head office in Ontario to an advisor’s office in Alberta. The contract was sent via secure mail through the Organization’s internal mail service but tracking information was not retained and the contract did not arrive at its destination. The incident was discovered on July 9, 2019, when the advisor confirmed that the contract had not arrived at the advisor’s …
P2021-ND-003

AltaSteel, Inc.

On November 18, 2020, two employees reported to IT that they were receiving bounce back emails indicating “Your organization does not allow external forwarding”. On November 20, 2020, the Organization’s investigation confirmed that 5 employee email accounts were set up with rules forwarding emails to an external email address. Of these 5, three (3) did not appear to be set up by individuals and were forwarded to external unknown email addresses (@gmail.com). The Organization reported …
P2021-ND-002

Deluxe Small Business Sales Inc., operating as MAC Highway

The Organization manages customer accounts through an administrative portal that is owned and managed by a third party, Endurance International Group, Inc., and operated as www.resellerclub.com. On December 2 and December 17, 2020, authorized employees were unable to log in to the administration portal; on each occasion the passwords were reset. On December 21, 2020, the Organization investigated and found the password to the portal had been compromised and an unauthorized individual had access to …
P2021-ND-001

Custom Electric Ltd.

On December 22, 2020, a payroll administrator sent an email attaching employee payroll earning statements to the operations manager and the president for review ahead of submission to the bank for bi-weekly payroll. Earlier that day, the operations manager had received a phishing email; the sender represented themselves as the Organization’s president. As a result, when the payroll administrator sent the email to the operations manager and the president, the cache in her inbox attached …
P2020-ND-201

Pacific Oaks College

In May 2020, the Organization?s third party vendor, Blackbaud, advised the Organization that it had experienced a ransomware attack on its systems, including its Raiser?s Edge software product used by the Organization to manage alumni and donor information. Blackbaud reported that it discovered and stopped a ransomware attack. Blackbaud successfully prevented the cybercriminal from blocking its system access and fully encrypting files, and ultimately expelled them from its system. However, the cybercriminal removed a copy …
P2020-ND-200

The Chicago School of Professional Psychology

In May 2020, the Organization?s third party vendor, Blackbaud, advised the Organization that it had experienced a ransomware attack on its systems, including its Raiser?s Edge software product used by the Organization to manage alumni and donor information. Blackbaud reported that it discovered and stopped a ransomware attack. Blackbaud successfully prevented the cybercriminal from blocking its system access and fully encrypting files, and ultimately expelled them from its system. However, the cybercriminal removed a copy …
P2020-ND-199

Luxury Hotels International of Canada ULC, a wholly owned, indirect subsidiary of Marriott International, Inc.

On February 26, 2020, the Organization discovered a higher than normal amount of lookup activity on its guest reservation application associated with login credentials of two employees of a franchisee property in Russia. The change in volume associated with one set of credentials started on January 11, 2020, and the other on January 14, 2020. On June 29, 2020, the Organization reported it had identified a small amount of prior unauthorized lookup activity between September …
P2020-ND-198

Heart and Stroke Foundation

The Organization manages personal information related to volunteer and donor relations, communications and for historical record keeping through its service provider, Blackbaud. On July 16, 2020, Blackbaud advised the Organization that cybercriminals accessed Blackbaud?s system by using the credentials of a customer who was using Blackbaud?s self-hosted environment, and attempted a ransomware attack. Blackbaud advised that it was able to successfully prevent the cybercriminal from fully blocking system access and fully encrypting files, and was …
P2020-ND-197

Food Banks Canada

On July 16, 2020, the Organization was notified by its third-party fundraising software provider, Blackbaud, that Blackbaud had experienced a ransomware attack. The cybercriminal was prevented from blocking Blackbaud?s system access and fully encrypting files; however, prior to locking the cybercriminal out, a copy of a backup file was removed from the Blackbaud system. The breach occurred between February 7, 2020 and May 20, 2020. Blackbaud paid the ransom demand after receiving confirmation that the …
P2020-ND-196

NAFSA: Association of International Educators

The Organization discovered that an unauthorized third party may have gained access to customer information entered into form fields on its online store (https://shop.nafsa.org/) checkout page between April 8, 2020 and May 15, 2020.
P2020-ND-195

Canadian Bible Society

On July 16, 2020, the Organization received notice from Blackbaud, a third-party service provider, that Blackbaud had experienced a ransomware attack. The Organization reported that, according to Blackbaud, the attack was discovered on May 14, 2020. The incident affected Blackbaud’s back-ups, and not live operational data. Donor information resident on the back-ups from the period of February 7, 2020 to May 20, 2020 were impacted. Blackbaud paid a ransom in return for the assurance the …
P2020-ND-194

St. Marys Healthcare Foundation

The Organization uses a third-party service provider, Blackbaud, to manage its donor and organization data, and to communicate with various members of its community. On July 16, 2020, the Organization received a notice from Blackbaud reporting that it had discovered and stopped a ransomware attack. However, prior to locking the cybercriminal out, the cybercriminal took a copy of the Organization?s backup file, which contained certain individuals? personal information. This occurred at some point beginning on …
P2020-ND-193

car2go NA, LLC and car2go Canada Ltd. dba as SHARE NOW

*n or about May 20, 2020, an unauthorized third party(ies) used North American IP addresses to perpetrate a ?brute force? attack against the Organization?s online customer account system. The attacker made repeated trial-and-error attempts to log into the Organization?s online customer accounts using email addresses combined with hundreds or possibly thousands of passwords. Some of the email addresses used by the attacker belong to the Organization?s customers and former customers but other email addresses do …
P2020-ND-192

Kohl Children’s Museum of Greater Chicago

On July 16, 2020, the Organization received notice that its third-party cloud computing provider, Blackbaud, had been the target of a ransomware attack in May 2020. The Organization reported that Blackbaud reported that data was exfiltrated by the unknown actor at some point before Blackbaud locked the unknown actor out of the environment on May 20, 2020. On or about August 5, 2020, the Organization received further information from Blackbaud that allowed it to confirm …
P2020-ND-191

Save the Children Federation, Inc.

On July 16, 2020, the Organization received notice that its third-party service provider, Blackbaud, had been the target of a ransomware attack. The Organization reported: We understand from Blackbaud that the incident began in February, when the hacker gained access to Blackbaud?s system, and continued until May 2020, when Blackbaud discovered the hacker was attempting to carry out a ransomware attack. … Unfortunately, the hacker was able to make a copy of some data on …
P2020-ND-190

ADRA International (Adventist Development & Relief Agency)

In July 2020, the Organization received notice from its third party service provider, Blackbaud, that Blackbaud had discovered a cyberattack on one of its systems that houses donor information. The Organization reported that the breach was ?discovered in May 2020? and ?…may have included personal data for some of our … supporters?. The Organization reported that ?A detailed explanation of the incident is available on Blackbaud’s website at: blackbaud.com/securityincident.? This website describes a ransomware attack, …
P2020-ND-189

Audio Visual Services Group, LLC d/b/a PSAV

On or about January 15, 2020, the Organization learned that an unauthorized party had gained remote access to certain employees? business email mailboxes. The unauthorized activity was part of an apparent attempt to use email accounts to re-route wire transfer payments from vendors to bank accounts under the control of the unauthorized party. The Organization?s investigation found the unauthorized access began on or before October 22, 2019 and ended on or about February 5, 2020.
P2020-ND-188

Leibel Insurance Group

The Organization?s service provider, Trufla Technology Ltd., provides access to a cloud based lead management platform and a cloud based customer service platform. On November 10, 2020, the service provider was working on a new feature, and created a separate database on a separate hosting account using sample data copied from transactions relating to the Organization. On November 11, 2020, the service provider found that the information had been taken by an unauthorized individual who …
P2020-ND-187

KandyPens, Inc.

In January 2020, the Organization became aware of suspicious activity associated with the online payment process for its e-commerce platform. An investigation determined that an unauthorized user gained access to the Organization?s online payment platform and credit and debit card information entered between March 7, 2019 and February 13, 2020 may have been compromised.
P2020-ND-186

SimpleTax Software Inc.

On July 2, 2020, the Organization became aware of a credential stuffing incident involving attempts to access data from certain user accounts. The Organization reported that it appears an unauthorized individual(s) was able to log in to user accounts between June 28 and July 2, 2020, using valid usernames and passwords. The Organization?s investigation indicates that the credentials were not obtained from its systems, but rather from another site or app where the user used …
P2020-ND-185

SalonBiz

On May 29, 2020, the Organization detected unusual activity within an employee?s email account. The Organization secured the account and launched an investigation. An independent forensics firm determined that one employee email account was accessed without authorization. On August 7, 2020, the Organization learned the email account contained personal information which may have been accessed by an unauthorized actor.
P2020-ND-184

Rifco National Auto Finance Corporation

On March 11, 2020, an employee of the Organization was corresponding with a customer by email and inadvertently used an email string that contained another customer?s personal information. On March 13, 2020, the customer who received the information in error alerted the Organization and provided a copy of the email she had received.
P2020-ND-183

The Co-Operators Group Limited

On June 26, 2020, the Organization was compiling information in response to a client?s request for a copy of her file. While processing the request, the Claims Team noticed that the client?s profile had been accessed on June 12, 2020. The access was flagged because the employee who accessed the client?s profile works in a department that would not have been required to be in the claim because of the stage the claim was at. …
P2020-ND-182

Hull Services

The Organization reported it uses an external database called Blackbaud Raiser’s Edge NXT to store information related to its donors and volunteers. On July 16, 2020, Blackbaud informed the Organization that, in May 2020, it discovered and stopped a ransomware attack. The back up copy of the Organization?s Raiser’s Edge NXT and NetCommunity files were involved in the attack. Blackbaud advised it had successfully prevented the cybercriminal from blocking its system and fully encrypting the …
P2020-ND-181

AccSys, LLC d/b/a/ Restaurant Magic

Around March 10, 2020, the Organization was alerted to suspicious activity within four (4) email accounts belonging to email users of the Organization. The Organization determined that email accounts were accessed without authorization between March 4, 2020 and March 10, 2020; only one (1) of the email accounts was accessed for the entire time.
P2020-ND-180

ENMAX Corporation

On March 29, 2020, the Organization was the target of a malicious spear phishing campaign. Fifteen (15) email addresses of current employees and three (3) inactive email addresses of previous employees were targeted. Of the eighteen (18) targeted recipients, four (4) emails evaded the Organization?s spam filter. One (1) employee clicked on the link embedded in the email, which allowed the attacker to access the employee?s email profile. The unauthorized access resulted in a number …
P2020-ND-179

GAIN Capital-Forex.com Canada, Ltd.

The Organization is a subsidiary of GAIN Capital Holdings Inc.; the latter provides data processing and hosting services to the Organization. On April 14, 2020, an external threat actor gained access to the service provider?s network and created user accounts with administrative privileges. This enabled the threat actor to access servers which include customer personal information. The threat actor ran several queries against client databases, and also extracted a zip file that may contain some …
P2020-ND-178

Sabina Gold & Silver Corp.

On or about March 28/29, 2020, an unknown individual accessed an employee?s e-mail inbox. The attacker set up an auto-forwarding rule which caused certain emails containing personal information of a group of employees and contractors to be forwarded to an external Gmail account. The Organization determined the attacker had somehow obtained the employee?s credentials (password) and accessed the account through a legacy protocol. The Organization?s investigation did not conclusively find evidence regarding how the credentials …
P2020-ND-177

Sun Life Assurance Company of Canada

On August 19, 2020, the Organization sent a claim status letter to the individual?s employer benefits general email account. The individual works with the team that administers benefits for their employer; as such, their personal information was potentially disclosed to colleagues. Eight days later, on August 27, 2020, the employer discovered the email, deleted the message, and informed the Organization.
P2020-ND-176

ENMAX Corporation

On May 4, 2020, an employee was subject to a targeted phishing attack. A malicious email directed the user to a webpage where they were prompted to enter their login credentials. The attackers were able to use the credentials to access the employee?s email account containing the information at issue. The breach was discovered and contained 2 days later on May 6, 2020 by the Organization?s IT Security team. The Organization was unable to confirm …
P2020-ND-175

Mattress Insider LLC

An unauthorized entity added malicious script to the Organization?s payment gateway at mattressinsider.com. The script potentially sent payment card data to an unauthorized third-party website. The breach was discovered on May 14, 2020 when the Organization was notified by its credit card acquirer, WorldPay, about fraudulent charges on cardholders’ credit card accounts. The Organization?s investigation determined that the personal information may have been compromised between January 11, 2020 through May 14, 2020.
P2020-ND-174

Connect First Credit Union Ltd.

On May 4, 2020, an employee was conversing with 2 separate individuals on 2 separate loan applications. An email was subsequently sent to one of the individuals with an attachment containing a completed statement of affairs for another individual. The incident was discovered the same day when the email recipient reported the error to the Organization.
P2020-ND-173

Shady Hill School

On July 16, 2020, the Organization received notice that its third-party service provider, Blackbaud, had been the target of a ransomware attack. The Organization reported: Blackbaud ransomware occurred from 2/20/2020 to 5/20/2020 where cyber criminals had access to personal information. Blackbaud with the help of the FBI paid the ransom and ensured all exfiltrated information was destroyed.
P2020-ND-172

Olson Curling Inc.

The Organization uses a third party service provider for document shredding and destruction services. On April 24, 2020, thieves broke into and stole the service provider?s truck, which contained the Organization?s files. The truck was recovered the same day. Some of the material that was in the truck was discarded and found in an alley in a new construction area not far from where the truck was stolen. Material was recovered from that location and …
P2020-ND-171

Ambrose University

On July 16, 2020, the Organization received an email from its cloud hosting service provider, Blackbaud Inc., reporting a remote attack on Blackbaud?s servers that was discovered on May 14, 2020. Blackbaud advised the Organization that it prevented the cybercriminals from gaining full access to its systems, but the attackers did remove a copy of a subset of data, including the information at issue.
P2020-ND-170

MEM Psychological Services Inc.

On March 16, 2020, the Organization sent an email to clients informing them how to access virtual services. The email was sent to 41 clients without blind copying client names and email addresses. A second email containing a consent form for virtual services was then sent to 11 clients without blind copying client names and email addresses. The incident was discovered the same day, when a client forwarded one of the emails to a Psychologist, …
P2020-ND-169

1883865 Alberta Ltd. / Knoxville?s Tavern

On February 28, 2020, due to a technical error, the Organization emailed employee T4s to incorrect recipients (past and / or present employees). The incident was discovered the same day when an employee reported receiving the wrong person?s T4. At the time of the report, the Organization did not confirm whether all recipients of the erroneously delivered T4s permanently deleted the record, as requested in the Organization?s notification emails.
P2020-ND-168

ivari

On March 1, 2020, a password protected laptop, and a bag containing client files, were stolen from a locked vehicle (break-in). Local police authorities were informed on the same day.
P2020-ND-167

Boardwalk Rental Communities

On May 18, 2020, an unknown individual entered the leasing office at the Organization?s Viking Arms location. A number of items were stolen including documents, a cellphone, a debit card machine, log book, a note book and a Sonim.
P2020-ND-166

Minted LLC

The Organization became aware of a report that mentioned it as one of ten companies impacted by a potential cybersecurity incident. On May 15, 2020, the Organization discovered that on May 6, 2020, an unauthorized actor gained access and obtained information from the Organization?s user account database.
P2020-ND-165

LiveAuctioneers, LCC

On June 19, 2020, one of the Organization?s technology service providers was subject to a cyber attack. The attackers gained access to several of the Organization?s environments, including Github and Amazon Web Services (AWS). The attackers obtained internal user credentials which were used to access and download a database containing the information at issue. On July 2, 2020, the Organization was notified by its service provider that the systems had been compromised. On July 11, …
P2020-ND-164

Special Olympics Alberta Association

On December 27, 2019, a volunteer with the Organization noticed that someone had rifled through her car and trunk. In her trunk, there was a binder containing information about Lethbridge five-pin bowling athletes. The binder has not been recovered to date.
P2020-ND-163

ivari

A paramedical form that was completed in Alberta was received at the Organization?s Brampton, Ontario office, but the whereabouts of the form is not known. A courier package tracking slip confirms delivery to the Brampton office. The Organization reported the breach occurred on March 3, 2020. A service provider to the Organization advised the Organization of the situation on March 13, 2020.
P2020-ND-162

World Financial Group Insurance Agency of Canada Inc.

On March 1, 2020, a vehicle belonging to an employee of the Organization was broken into. A password protected laptop containing client information and a locked bag of client files were stolen from the vehicle. Law enforcement was notified on the same day, followed by notification to the Organization?s privacy personnel on March 6, 2020.
P2020-ND-161

LUS Brands Inc.

The Organization uses a service provider, Klaviyo Inc., to help deploy email to the Organization?s clients. On March 5, 2020, the Organization was made aware that Klaviyo suffered a security breach incident, which occurred between November 13-29, 2019. An unauthorized third party was able to manipulate parameters associated with URLs for Klaviyo?s ?unsubscribe? and ?update subscription? functions. This resulted in a successful auto-population of fields within these forms with personal information the unauthorized third party …
P2020-ND-160

Hyde’s Distrubtion

On April 21, 2020, the Organization discovered that purchase orders made through the website www.zippo.ca using credit cards might have been at risk of compromise due to the actions of an unknown external third party. The Organization was made aware that malware known as a web skimmer script was used on the website to steal personal and payment information. The Unauthorized actor had access to the Organization?s network between February 20, 2020 until April 23, …
P2020-ND-159

Canadian Fertilizers Limited (a wholly owned subsidiary of CF Industries Holdings, Inc.)

On June 4, 2020, an unknown third party gained access to the Organization?s data through a remote access server. The Organization?s investigation found the third party gained unauthorized access through a brute force attack of a single account. Files from two servers were removed from the network and stored (although not published publicly) on an online cloud storage website. During the investigation, the files that had been stolen were deleted from the online cloud storage …
P2020-ND-158

You Can Trade Inc., a subsidiary of TradeStation Group Inc.

On May 28, 2020, the Organization discovered that customer personal data had been accessed by one or more unauthorized persons in February. The Organization discovered that two domains were hosting a replica of the Organization?s website; one in Iran, and the other in India. A recently hired developer made an unauthorized back up copy of the Organization?s database and website, and imported the data to an unauthorized server. The system was unprotected, with ports open …
P2020-ND-157

Ashbury College

On July 16, 2020, the Organization was notified by its software service provider, Blackbaud, that Blackbaud had experienced a remote attack on its servers. Blackbaud informed the Organization that it was able to expel the ransomware from its system but before it was removed, hackers were able to extract certain files that contained personal information of the Organization?s constituents. The Organization reported that it is not aware of how the ransomware entered the system or …
P2020-ND-156

Cognizant Technology Solutions Canada Inc.

On April 20, 2020, the Organization was the victim of a ransomware attack carried out by international cyber criminals. The Organization learned that the attackers staged and likely exfiltrated a limited amount of data from its systems. Based on its investigation, this activity occurred between April 9 and 11, 2020.
P2020-ND-155

Burgundy Asset Management Ltd.

On or about April 21, 2020, an employee of the Organization clicked on a phishing email and entered his log-in credentials for his work email account. Intermittently between April 21, 2020 and May 12, 2020, the credentials were used by an unauthorized party to log into the employee?s work email account via the Organization?s web-based access. On May 12, 2020, phishing emails that appeared to spoof the employee?s email address were sent to individuals whose …
P2020-ND-154

Goodman Mintz LLP

On June 12, 2020, an employee with the Organization turned on his computer and found that he could not access data files from the Organization?s server. The issue was caused by a malware infection known as ?REvil?; the first evidence of malicious activity was on June 10, 2020. The attacker actor(s) demanded a ransom in exchange for the decryption key, and if the ransom was not paid, the files would remain encrypted, and any data …
P2020-ND-153

E.H. Wachs

The Organization discovered that, from February 15 to February 28, 2020, unauthorized individuals installed ransomware on certain of its servers. The Organization reported that although unauthorized individuals could have infiltrated the servers, it had no reason to believe that any personal information was viewed or accessed.
P2020-ND-152

Canadian Back Institute Operating Limited Partnership

An Ontario payroll administrator?s password was compromised, resulting in unauthorized access to a cloud-based employee payroll system. During the unauthorized access, banking information was changed for a subset of seven (7) employees (one (1) in Alberta). The breach occurred between approximately March 29, 2020 and April 15, 2020. The Organization learned of the breach on April 15, 2020 when an unauthorized change to banking information was discovered, and an investigation was commenced.
P2020-ND-151

Combat Network Inc.

Between approximately October 23, 2019 and October 30, 2019, the Organization was targeted by threat actors who gained unauthorized access to its network systems, and more particularly to some of its employees? mailboxes. The breach was discovered on October 31, 2019 when the Organization was informed by the Canadian Security Intelligence Service (CSIS) and the Canadian Centre for Cyber Security (CCCS) of potentially malicious activity on its systems linked to a suspect IP address. During …
P2020-ND-150

Industrial Alliance Insurance and Financial Services Inc., on behalf of its wholly owned subsidiaries Industrial Alliance Securities Inc. and Investia Financial Services Inc.

On or around August 27, 2019, the Organization discovered that unauthorized spam messages containing malicious links had been sent internally from the email accounts of certain financial advisors. The Organization immediately investigated and confirmed that between August 26, 2019 and September 30, 2019, the email accounts of eighteen (18) advisors were compromised because of a phishing campaign, which led to these advisors divulging their user credentials to malicious websites. The Organization reported that there is …
P2020-ND-149

PCL Constructors Inc.

The Organization uses a third party vendor, PaperlessPay Corporation (PPC), to provide its employees with electronic access to tax slips and pay stubs in PPC?s database, On February 20, 2020, the Organization received a notification from PPC that an unknown party had issued an advertisement purporting to sell access to PPC?s database on the dark web. The Organization requested and confirmed that PPC removed all of the Organization?s data from the database. On March 20, …
P2020-ND-148

Arbonne International LLC

On April 20, 2020, the Organization discovered an unauthorized attempt to access its secure servers. The Organization contained the attack, neutralized the threat, and assessed the impact of the incident. The Organization determined the perpetrators accessed personal information on a single server, which contained personal information of its clients and independent consultants.
P2020-ND-147

Eastern Virginia Medical School

On January 28, 2020, the Organization became aware of suspicious activity associated with one of its email accounts. The Organization?s investigation determined that an unauthorized user had gained access to four email accounts for a limited period of time. The email accounts may have contained emails and documents containing employees? personal information.
P2020-ND-146

Drillinginfo, Inc. (Enverus)

The Organization uses a service provider, ADP Canada, to manage its employees? self-service accounts. On September 28, 2020, an employee of the Organization reported that he received a notification that a mobile number change was made to his ADP profile, and a time-off request was entered that he did not make. ADP Canada advised the Organization that a technical issue with a password recovery process enhancement may have led to another ADP client?s employee inadvertently …
P2020-ND-145

FitFabFun, Inc., a Delaware corporation

A third party installed malicious code on the shop extension of the Organization?s website, using an employee?s administrative credentials. The code was placed on the site on May 2, 2020 and was discovered on May 6, 2020, during a routine review of its website.
P2020-ND-144

Bath & Body Works Direct, Inc.

On December 2, 2019, the Organization learned that an unauthorized individual gained access to personal information in certain online accounts from approximately September 17, 2019 to November 23, 2019. The Organization believes that the individual capitalized on a breach of another company’s system where the customer may have used the same login information. The Organization later reported that ??the unauthorized access also may have occurred until [the Organization] implemented additional safeguards on January 15, 2020.?
P2020-ND-143

Co-operators General Insurance Company and Co-operators Life Insurance Company

On November 18, 2019, the Organization was notified by a client that their credit card number had been used to make a fraudulent premium payment. The Organization investigated and found that the client’s credit card number was likely used by a former employee to fraudulently pay the premium on the former employee’s insurance policy. The former employee had previously held the role of insurance agent, but his employment had been terminated on July 19, 2018. …
P2020-ND-142

Bird Construction, Inc.

On December 2, 2019, files in a number of the Organization?s systems were encrypted by an unauthorized third party who demanded a ransom payment in exchange for the keys to decrypt the files and to destroy data that the unauthorized party claimed to have taken from the Organization?s systems. The Organization reported that it believes that the unauthorized third party gained access to its IT infrastructure on November 20, 2019. The Organization later confirmed that …
P2020-ND-141

Xpedient Logistics

The Organization experienced an email phishing incident involving unauthorized access to employee email accounts that contained personal information. The Organization?s investigation found that an unauthorized individual gained access to the email accounts between April 25, 2019 and May 14, 2019. The breach was discovered on November 27, 2019 when the Organization learned of irregularities with some of its payments to vendors and, upon examining some of the related email traffic, discovered that some of the …
P2020-ND-140

Law Society of Alberta

On March 18, 2020, the email account of an employee of the Organization was hacked and several hundred phishing emails were sent from the account to Organization staff and to approximately 700 external recipients. The email purported to send out documents from the employee and requested recipients enter their credentials. The Organization immediately discovered the incident and quarantined the employee?s laptop, reset the credentials, searched the system for the messages and deleted all internal messages …
P2020-ND-139

Servus Credit Union Ltd.

On December 13, 2018, a fraudulent impersonator with knowledge of personal information and credit card information was able to successfully update the contact information on the credit card account for a single individual.
P2020-ND-138

American Association of Nurse Anesthetists

The Organization was notified of a potential data incident due to an unauthorized individual gaining access to its ecommerce website and inserting a malicious script designed to capture payment card information entered into the checkout page. The malicious script may have affected information entered on the website between May 23, 2019 and October 3, 2019. The breach was discovered by the Organization?s website host on October 3, 2019.
P2020-ND-137

V.A. MacDonald Q.C., Barrister & Solicitor

On December 20, 2019, following the failure of a desktop computer, the Organization?s IT provider removed the hard drive to determine if any data was recoverable. While in the IT provider?s possession, the hard drive and other items were stolen from the provider?s vehicle. The IT provider reported the theft to the Organization on December 23, 2019.
P2020-ND-136

Alberta College and Association of Opticians

On January 30, 2020, an email was sent from a disused email account to an unknown number of people asking for a “favor” and for people to respond to the email. Most of the recipients are registrants of the Organization; some are vendors or other business contacts, some are staff members. The Organization?s IT technician quickly recovered the account and found that emails were being rerouted to a hotmail account. The hacker(s) had access to …
P2020-ND-135

Connect Logistics Services Inc., and its affiliates, including DHL Global Forwarding (Canada) Inc., which are subsidiaries of Deutsche Post AG

On December 11, 2019 an intruder compromised an employee’s ADP (payroll system) account. The intrusion arose from a phishing attack. The intruder accessed the ADP system for over 3 hours from December 11-13, 2019. The intruder created fake employee profiles with real bank accounts in the United States. The ADP system flagged the US bank accounts on December 13, 2019. Upon flagging, ADP immediately shut down access to the system, isolated the fraudulent accounts and …
P2020-ND-134

ATB Financial

The Organization?s Edgerton agency was broken into overnight on December 27, 2019. The burglar(s) also broke into a locked credenza/filing cabinet and stole some personal information. The incident was discovered when the owner arrived at work.
P2020-ND-133

DBH Law

The Organization filed exempt market distribution forms for two subscribers on January 17, 2020 and January 27, 2020. The filings inadvertently included copies of the two subscription agreements which disclosed the information at issue. Alberta Securities Commission (ASC) staff noted the first breach and had the file marked private on January 21, 2020. The ASC notified the Organization on January 27, 2020. On January, 28, 2020, the Organization reported the second incident to the ASC …
P2020-ND-132

CNOOC Petroleum North America ULC

On January 15, 2020, an employee of the Organization sent an email to a number of individuals summarizing a meeting held the previous day. The employee inadvertently attached a wrong document to the email, disclosing the information at issue. The incident was discovered by the subject of the email, who reported it to the sender, the sender?s supervisor, and human resources.
P2020-ND-131

Holt, Renfrew & Co. Ltd.

un April 9, 2020, the Organization?s IT department was notified about a phishing attack and potential password compromise. The Organization discovered that on April 8, 2020, a phishing email was sent to six employees from a legitimate email account associated with one of the Organization?s concession partners. The phishing email was designed to prompt email recipients to click a link to download several documents. The link in the email took users to a Microsoft OneNote …
P2020-ND-130

VersaCold Logistics Services

On May 12, 2019, a person or persons broke into the Organization?s office premises and stole eight laptop computers. The laptops were password protected. The incident was discovered on May 13, 2019 when employees arrived at work.
P2020-ND-129

The Brenda Strafford Foundation Ltd.

On October 24, 2019, an attachment containing the information at issue was sent out with employee pay stubs in error. The incident was discovered when one of the employees opened the attachment and immediately called the payroll clerk.
P2020-ND-128

Kalispell Regional Healthcare

In the summer of 2019, the Organization discovered that several employees were victims of an email that led them to unknowingly provide their login credentials to malicious criminals. On August 28, 2019, the Organization learned that some patients’ personal information may have been accessed without authorization. A deeper investigation determined that some personal information may have been accessed as early as May 24, 2019.
P2020-ND-127

StorageVault Canada Inc. dba Access Storage

On September 16, 2019, the Organization learned that it was the victim of a break and enter, which occurred on September 15, 2019 at its facility in Winnipeg, Manitoba. The perpetrators broke into a locked storage unit which contained the Organization?s records, including physical files with client personal information collected for the purposes of facilitating storage rentals and services. The Organization reported the break-in to police, who were able to apprehend one of the thieves …
P2020-ND-126

Wayside Technology Group, Inc.

On June 20, 2019, the Organization discovered unusuaI activity involving its email system which occurred between June 12 and June 13, 2019. On October 9, 2019, the Organization?s investigation revealed that personaI information may have been accessed without authorization.
P2020-ND-125

Atria Senior Living

On October 24, 2019, the Organization identified suspicious activity related to certain employee email accounts. The Organization?s investigation of the email phishing incident showed that an unauthorized person first had access to an employee’s email account on September 18, 2019 and last had access on September 20, 2019. The investigation was unable to determine which specific emails or attachments, if any, were viewed by the unauthorized person.
P2020-ND-124

PFSL Investments (Canada) Ltd.

On November 25, 2019, an independent sales representative attended the home of the affected individuals who were looking to contribute to an existing RDSP account on a monthly basis. The representative had both affected individuals sign a Subsequent Contribution Form and provide a void cheque. After leaving the individuals’ home, the representative stopped at a grocery store. While unloading the groceries into her car, an unknown male drove by, reached out of the window of …
P2020-ND-123

OnePlus Technology (Shenzhen) Co., Ltd.

On November 13, 2019, the Organization received a monitoring alarm system warning, which showed abnormal behavior in its after-sales service API portal. The Organization investigated and discovered that between October 30 and November 13, 2019, an unauthorized individual registered for an account and used it to access the after-sales pickup and dropoff services IMEI lookup page. Through the lookup page, registered users may find order information using the IMEI number (i.e., the International Mobile Equipment …
P2020-ND-122

College and Association of Registered Nurses of Alberta

On March 12, 2019, the information at issue was mistakenly disclosed to a member having the same first name as another member. The Organization?s employee did not confirm the full name of the caller at the beginning of the discussion. The error was discovered during the employee?s conversation with the member.
P2020-ND-121

United Food and Commercial Workers Local 401

On June 7, 2019, a staff member?s laptop was stolen from his vehicle. He reported it missing on June 8, 2019. The laptop was a temporary replacement laptop and lacked the usual security protocols (full volume encryption) that are installed on laptops used by the Organization. The laptop was protected by a strong password. The Organization reported that no documents or personal information were locally stored on the device. Everything was accessed through email and …
P2020-ND-119

HSBC InvestDirect

Due to a system misconfiguration, the Organization inadvertently mailed a customer?s mutual fund confirmation slip and T4RIF to the wrong address. The errors occurred on January 23, 2019 and February 5, 2019. The error was discovered on March 13, 2019 when the customer contacted the Organization.
P2020-ND-118

Eye Buy Direct, Inc.

In June 2019, the Organization learned that a number of US consumers had reported fraudulent activity on their credit cards. The consumers had all made transactions on the Organization?s website, www.eyebuydirect.com. The Organization investigated and concluded its systems showed signs of intrusions; however, investigators were unable to confirm with certainty how or when the platform had been breached or whether any data had been accessed or taken. The Organization notified individuals who made purchases on …
P2020-ND-117

Raytheon Canada Limited

On March 13, 2020, the Organization was notified by a U.S. law enforcement agency of suspicious internet activity. The Organization confirmed an unauthorized party exploited a vulnerability in a third-party technology it uses for web application delivery control and accessed a server containing personal information between January 11, 2020 to on or about March 27, 2020. The Organization reported that it cannot conclusively determine whether any data was accessed or exfiltrated, but, out of an …
P2020-ND-116

NorthShore University HealthSystem

The Organization uses a third-party service provider, Blackbaud, who provides a platform to manage donor information. On July 22, 2020, the Organization received a notice from Blackbaud reporting that cybercriminals obtained access to information Blackbaud processed for the Organization. Blackbaud advised the Organization that it paid a financial demand in exchange for confirmation from the attackers that the extracted information was destroyed. The incident occurred between February 7 through May 20, 2020.
P2020-ND-115

Evangelical Fellowship of Canada

July 16, 2020, the Organization received notice that its third-party service provider, Blackbaud, had been the target of a ransomware attack. The Organization reported: According to Blackbaud, the attack was discovered on the same day the incident occurred, May 14, 2020. The Cyber Security team, together with independent forensic experts and law enforcement, successfully prevented the bad-actor from blocking Blackbaud’s system access and fully encrypting the files. According to Blackbaud, ransom was paid in return …
P2020-ND-114

Kayden Industries LP

On July 18, 2020, unknown persons entered the Organization?s facility (warehouse and front office), rummaged through cabinets and desks, and removed items. The warehouse was previously damaged by fire on March 9, 2020. The Organization reported that it appeared some of its personnel files might have been compromised. The Organization notified its landlord and city police, who are currently investigating the incident.
P2020-ND-113

Apeetogosan (Metis) Development Inc.

On December 3, 2019, the Organization found its computer system was affected by a ransomware attack that caused its files to be encrypted. The attacker demanded a ransom. The Organization reported its computer system risk management process includes backup systems and data, so the majority of the system and data were not subject to the attack. The Organization did not pay the ransom. Due to the nature of the attack and the short time between …
P2020-ND-112

Employee Benefit Funds Administration Ltd.

On October 31, 2019, an employee with the Organization inadvertently switched two claims documents and mailed them to the wrong member. On November 12, 2019, the Organization received a call from one of the recipients reporting the error. The Organization contacted the recipients and requested they return the original documents to the Organization. Both plan members returned the documents.
P2020-ND-111

CNOOC Petroleum North America ULC

On July 10, 2019, an employee of the Organization had a conversation with two other individuals ? a former employee and another employee ? during which the first employee shared the information at issue in an unauthorized manner. On July 16, 2019, the second employee reported the incident to his manager, and the Organization began an investigation. The Organization discovered that the first employee had authorized access to a spreadsheet of aggregate, non-identifiable compensation data; …
P2020-ND-110

Rockyview Gas Co-op Ltd.

On July 9, 2019, the Organization prepared notices for customers with overdue accounts. When printing the notices, the Organization did not realise that the printer was set to double sided. This resulted in half of the customers? arrears notices being printed on the reverse of another customer?s notice. The breach was discovered on July 15, 2019 when a customer brought the error to the Organization?s attention.
P2020-ND-109

CPA Western School of Business

An employee with the Organization clicked on a phishing email, which created a rule that auto-forwarded incoming email messages to an unknown third-party, moved the messages to a rarely-used Outlook folder in the employee’s Outlook, and deleted information from the sent folder without the staff member?s knowledge. The “hacked” emails sent to the employee’s work email account were from applicants responding to fabricated job postings that the hacker created after having opened a fraudulent account …
P2020-ND-108

Real Estate Council of Alberta

On June 20, 2019, an unknown individual gained unauthorized access to an employee email account through a phishing attack. The unknown individual set up an automatic forwarding rule such that all incoming emails were forwarded to a third party email address that appears to have originated from outside of Canada. The email address is unknown to the Organization. The Organization?s IT department determined that 1,180 emails were forwarded to the external email address between June …
P2020-ND-107

CAM LLP

On May 24, 2020, an employee with the Organization had her car stolen from her driveway. In her car, there was a briefcase with hard copies of client files. The client files have not been recovered to date.
P2020-ND-106

ZipRecruiter Inc.

The Organization provides a website, which enables job seekers to search for employment opportunities and client-users to source candidates by posting job openings on the website and/or by searching a CV/resume database. On December 13, 2019, the Organization was notified that a job seeker reported receiving an unsolicited email that appeared to come from a client-user account and requested she send her resume to a third party email address not associated with the client. The …
P2020-ND-105

Carnival Cruise Line a division of Carnival Corporation

The Organization engaged a vendor for certain web development, support and related services including the design and configuration of a job portal hosted on Amazon Web Services cloud computing infrastructure (AWS). On October 29, 2019, the vendor advised the Organization that an intruder had deleted two databases from the portal. The vendor determined that a legacy module not used but available in the codebase was the cause of the incident. The Organization does not have …
P2020-ND-104

Namaste Technologies, Inc.

On May 9, 2019, an employee of the Organization noticed unsolicited emails had been received at internal email addresses. The Organization investigated and found that between May 4-8, 2019, a series of emails were sent to approximately 10,000 subscribers by a third party email services provider used by the Organization.The emails did not originate from the Organization?s account with the email services provider but instead came from the account of an employee of the Organization. …
P2020-ND-103

College of Physicians and Surgeons of Alberta

On November 1, 2019, a Hearing Tribunal decision was published to the Organization?s website in violation of a publication ban. The decision included the information at issue. The information was also released to the media. The breach was discovered on November 14, 2019, when the Organization was advised that it was in violation of the publication ban.
P2020-ND-102

SkipTheDishes Restaurant Services Inc.

On July 22, 2020, the Organization?s third-party account takeover and fraud analysis vendor notified the Organization of an unusual pattern of activity. The Organization investigated and discovered a malicious actor performed a credential-stuffing attack by testing breached email and password combinations that were obtained outside of the Organization. The Organization estimates that approximately 160 Alberta accounts were affected by this vulnerability between April 2020 and July 31, 2020.
P2020-ND-101

Economical Insurance and its subsidiary, Sonnet Insurance Company

On July 8, 2020, an employee received a phishing email from an unknown third party. The email included a hyperlink to a page on which the employee entered their username and password. On July 20, the credentials were used to access the employee?s email account and an internal software program, and to send further phishing emails to employees and addresses in the email account. Five other employees subsequently entered their credentials. The unauthorized activity was …
P2020-ND-100

Maplebear Inc., dba Instacart

On July 9, 2020, the Organization identified evidence that employees of its service provider accessed more ?shopper profiles? than should have been necessary to perform their job. Shoppers are independent contractors on the Organization?s technology platform, who provide shopping services on behalf of the Organization?s customers. The accesses occurred on or about June 5, 2020 and July 9, 2020. The Organization reported that it does not have evidence that its shopper information was stored or …
P2020-ND-099

MNP LLP and related subsidiaries and affiliates

On April 5, 2020, the Organization found its systems were encrypted as a result of a cybersecurity incident. The Organization immediately shut down access to its systems and engaged external experts to work alongside its internal IT response team. The Organization reported that the incident occurred as a result of a phishing email and involved only a small subset of information that was potentially accessed by the attacker. Further, there is no evidence of any …
P2020-ND-098

Chartered Professional Accountants of Canada

From April 20 to 24, 2020, the Organization discovered a potential security incident and possible phishing activity relating to its website and email addresses of its members. The Organization learned that unauthorized parties accessed certain information held by the Organization through an attack against its website between November 30, 2019 and May 1, 2020. The Organization collects a range of general contact, professional and related profile information in the course of its interactions with current …
P2020-ND-097

Railworks Corporation

On January 27, 2020, the Organization was the victim of a cyberattack in which an unauthorized third party encrypted its systems and files that contained personal information of its employees, former employees, current and former employees? beneficiaries / dependents and some independent contractors. The incident ended on January 31, 2020.
P2020-ND-096

Ply Gem Residential Solutions

On June 25, 2020, the Organization discovered that an unauthorized individual may have accessed certain employees? email accounts at various times between July 26, 2019 and November 18, 2019. The Organization investigated and was not able to determine which email accounts and attachments, if any, were accessed. The Organization conducted a review of the contents of the email accounts. The Organization has no evidence to date of any misuse of the information.
P2020-ND-095

Accor Services Canada Inc.

On March 18, 2020, the Organization?s service provider, Ceridian Canada Ltd., became aware of suspicious activity on its network, and immediately launched an investigation. On May 12, 2020, the service provider discovered a file containing personal information on a server that an unauthorized third party accessed on March 18, 2020 using a valid name and password of an active customer account. On May 27, 2020, the service provider notified the Organization of the incident. The …
P2020-ND-094

Medicine Hat Family Young Men?s Christian Association

On June 15, 2020, an employee with the Organization sent an email contact list containing guardians? contact information via the Organization?s OneDrive to an unauthorized recipient (a guardian of a child) in error. On August 11, 2020, the error was discovered, and the employee asked the unauthorized recipient to delete the email sent on June 15, 2020.
P2020-ND-093

Teck Highland Valley Cooper Corporation

On June 12 and June 13, 2019, due to an incorrect mall merge operation, pension benefit statements sent to former employees were sent to the wrong addresses. The breach was discovered on June 17, 2019 when some individuals who received the statements contacted the Organization to advise them of the error. The Organization wrote to the individuals who received the wrong letters and requested they return them to the Organization using an enclosed pre-addressed and …
P2020-ND-092

Neptune Wellness Solutions Inc.

On July 15, 2020, the Organization received a message claiming that its networks were hacked and all of the Organization?s files, documents, photos, databases and other important data had been encrypted, making them inaccessible. The message also claimed that certain private data from the Organization?s network had been downloaded. The unknown actor threatened to post information and publicize if the Organization failed to respond and purchase the encryption key. The Organization believes that it is …
P2020-ND-091

Zoosk, Inc.

On May 11, 2020, an unknown third party claimed to have accessed certain personal information of members of the Organization. Based on its investigation, the Organization learned that on or about January 12, 2020, an unauthorized third party gained access to the Organization?s data stored in a database hosted by a third party. The Organization learned that although a copy of the database is available online the decipher key is not, and therefore most of …
P2020-ND-090

Syncrude Canada Ltd.

In December 2018, an employee made a written complaint against an on-site contractor; the contractor provided a written response to the complaint. These documents were provided to the Organization?s security staff. On December 12, 2018, the security staff forwarded the documents, along with an incident report, to a number of internal staff. On December 13, 2018, the complaint and the contractor?s response were forwarded to the RCMP by the security staff. A Human Resources Advisor …
P2020-ND-089

Dubsmash Inc. and Mobile Motion GmbH (collectively, Dubsmash)

The Organization is a video messaging application for iOS and Android. On February 8, 2019, a reporter contacted the Organization to request comment on the sale of potentially stolen information. The Organization investigated to determine whether there had been any unauthorized acquisition of its users? personal information. On February 11, 2019, the Organization purchased a database from an unidentified individual and confirmed that it contained information related to the Organization?s users. The Organization reported its …
P2020-ND-088

Howard & Associates Psychological Services

On July 3, 2019, the Organization?s office was broken into. Among other things, the intruders stole intake forms from two Employee Assistance Programs (EAPs) requesting services for individuals. The landlord discovered the breach the same day.
P2020-ND-087

Alberta Society of Professional Biologists

On or around July 22, 2019, a staff member with the Organization realized a laptop was missing. Despite search efforts, the laptop was not found. The information at issue may have been in an event attendees list stored on the laptop. The laptop was not encrypted.
P2020-ND-086

Running Room Canada

On November 14, 2019, the Organization?s web security team identified an SQL injection and confirmed unauthorized access to its website database containing user profile information. The compromised information ??did not involve sensitive personal information like government-issued IDs (like Social Insurance numbers and driver’s license numbers) or payment cards, bank account, or other financial information?.
P2020-ND-085

Nicola Wealth Management Ltd.

On March 19, the Organization?s CEO?s assistant received a suspicious email purporting to be from the CEO directing her to pay an invoice. The assistant confirmed with the CEO that the email in question was not legitimate. The Organization discovered an unknown third party temporarily gained access to the CEO?s email account through a webmail application, and potentially accessed, viewed or downloaded a number of emails over a period of approximately 11 hours. The Organization …
P2020-ND-084

The Canada Life Assurance Company

The Organization uses an online account system to allow plan members to submit health and dental claims electronically, review previous claims and coverage information, and set up direct deposit. The system contains the personal information of the member and his or her dependents, if any. Due to an administrative and system error, a plan member logged into the system and was able to see account information for another member. Both members belong to the same …
P2020-ND-083

IPC Investment Corporation

On August 15, 2019, an advisor with the Organization prepared documents to send to a client for completion. The advisor entered the wrong email address for the client and the message was sent to an unknown party who had a similar email address. The breach was discovered on August 29, 2019 when the client reached out to the advisor to inquire about the documents that were to be sent by email. The Organization was unable …
P2020-ND-082

Women?s Flat Track Derby Insurance Inc.

On August 8, 2019, the Organization acquired CRDi and as a result is the owner of the list of, and contact information for, customers with CRDi, past and present, active, cancelled, and pending in an effort to begin developing member solutions for leagues and skaters across Canada. On December 11, 2019, a former CRDi employee emailed participants to promote a new company. The email was worded in such a way that it confused recipients as …
P2020-ND-081

Westward Advisors Ltd.

On November 25th, 2019, a ?spear phishing? email was sent to some of the Organization?s email addresses. One employee clicked on an attachment that installed a rule in the Employee’s Outlook account. As a result, the attacker collected a copy of certain emails addressed to the employee between November 25-December 31, 2019. The attacker also created a similar but fake email address for the employee and contacted some of the Organization?s clients while impersonating the …
P2020-ND-080

Rifco National Auto Finance Corporation

On June 10, 2019, two letter attachments addressed to two different customers were sent by text messages by the Organization. The two letters were inadvertently sent to two incorrect cell phone numbers. One of the customers who received a text message called the Organization to advise he had received a letter that was intended for another customer. The Organization reported there was no release of any payment or banking information, or other personal information.
P2020-ND-079

Servus Credit Union

On June 26, 2019, there was a break-in at a Red Deer branch of the Organization. A briefcase containing documentation for 12 Wealth Management Accounts was stolen. The breach was discovered the following morning by an employee entering the branch and completing a branch check per corporate policy. The files and associated documentation were recovered intact on June 27, 2019.
P2020-ND-078

ivari

On December 4, 2019, a life insurance policy contract was placed in an incorrect courier envelope package. The policy contract was delivered to another General Agency office that is licensed with the Organization. On December 16, 2019, the intended recipient (a licensed insurance advisor) contacted the Organization inquiring as to the whereabouts of the policy contact.
P2020-ND-077

Pfizer Canada ULC

On March 18 2020, the Organization?s payroll services provider became aware of suspicious activity on its network. An investigation found that on January 25, 2020, an unauthorized third party gained access to one of the service provider?s servers. The service provider determined that the threat actor was able to remotely gain access to its systems via a remote desktop using name and valid password of an active customer account; however, it was unable to determine …
P2020-ND-076

Carnival Corporation & plc and its subsidiaries and brands

In late May 2019, the Organization identified suspicious activity on its network and initiated an investigation. The Organization discovered that between April 11 and July 23, 2019, an unauthorized third party gained access to some employee email accounts that contained personal information regarding employees, crew, and guests. Approximately 124 employee email accounts, primarily at Princess Cruise Line, were compromised. The Organization reported that it appears that the unauthorized third party sought information related to payments …
P2020-ND-075

Capital Region Housing Corporation

Tenants who failed to pay their July rent were issued Notices to Vacate. The site manager who did the posting, however, posted the incorrect Notices to Vacate (e.g. Tenant A’s notice was posted on Tenant B). The postings occurred on July 11, 2019. The error was discovered on July 12, 2019 when a few tenants receiving the incorrect notices contacted the Organization.
P2020-ND-074

Hanna Andersson, LLC

On December 5, 2019, law enforcement informed the Organization that credit cards used on its website were available for purchase on a dark web site. The Organization investigated, and confirmed its third-party ecommerce platform, Salesforce Commerce Cloud, was infected with malware that may have scraped information entered by customers into the platform during the purchase process. The earliest potential date of compromise identified by forensic investigators is September 16, 2019, and the malware was removed …
P2020-ND-073

Justin Warsylewicz

On February 6, 2020, a vehicle belonging to the Organization was broken into and a travel bag was stolen. The bag contained the information at issue. The breach was discovered the same day.
P2020-ND-072

Industrial Alliance Insurance and Financial Services Inc.

On May 27, 2019, an insurance broker’s briefcase, which included an insurance policy contract with personal information, was stolen. The breach was discovered the same day. The broker reported the theft to the company.
P2020-ND-071

ExecuPharm, Inc.

The Organization is a United-States-based entity that provides staffing solutions for parent company, Parexel International Corporation (“Parexel”). On March 13, 2020, the Organization became aware that its data network had been compromised as a result of a cyber ransomware event conducted by malicious actors. The malicious actors encrypted files and sought a ransom in exchange for lifting the encryption. The Organization was able to successfully rebuild its systems from backup servers without paying the ransom. …
P2020-ND-070

Midwest Surveys Inc.

On April 3, 2020 a series of emails, with a link to virus payload, was sent out from an employee?s email account. The Organization reported the ?? account had been compromised by a bad actor at some point, but there was no evidience [sic] other than the series of emails with a malicous [sic] link being sent on their behalf. User could not recall any of the possible situations described to them by the investigator …
P2020-ND-069

Marval Capital Ltd.

On March 24, 2020, the Organization?s general email account was used to send out phishing emails. The person that accessed the account had brief access to the inbox. The Organization and its email provider were not able to determine which emails the intruder may have opened in that time. The Organization reported the breach ?occurred during the COVID-19 pandemic during the Organization?s transition to working remotely as mandated by the Federal Government?. The breach was …
P2020-ND-068

Tupperware U.S., Inc.

On March 24, 2020, the Organization identified unauthorized code had been inserted into the code that runs its Tupperware U.S. and Tupperware Canada e-commerce websites, Tupperware.com and Tupperware.ca. The Organization?s investigation found the code was designed to capture information entered by customers during the checkout process on these websites. It was further determined the code was present on the websites from March 19, 2020 to March 24, 2020.
P2020-ND-067

Pomeroy Lodging LP

On April 21, 2020, the Organization?s office was broken into and multiple laptops were stolen, along with some paper files. The breach was discovered the same day when a worker arrived at the office early and discovered the robbery still in progress. The police were called but subjects have not been apprehended.
P2020-ND-066

Capital Brands Distribution, LLC

On March 17, 2020, the Organization learned about possible unauthorized access to its online shopping site www.nutribullet.com. The Organization?s investigation revealed than an unauthorized user changed the website’s checkout page to collect customer information without authorization, for orders placed on the website with a credit or debit card between February 19, 2020 and March 17, 2020.
P2020-ND-065

WESCO Distribution Inc.

On July 1, 2019, the Organization learned an employee’s email account was compromised by an unknown actor through a phishing email sent on August 15, 2018 from a well-known supplier of the Organization. The attack spread to 28 other user accounts. The unknown actor placed an automatic forwarding rule on the accounts, which forwarded all incoming emails to an unauthorized Gmail account. The Organization disabled the rule on July 1, 2019 and reported there was …
P2020-ND-064

Tenaris Group / TMK IPSCO Canada Ltd.

TMK IPSCO was acquired by the Tenaris Group in January 2020. Following the close of the transaction, Tenaris performed an internal control assessment and, on January 28, 2020, identified a lack of security controls for certain files stored in a temporary storage location. These files were potentially accessible by all the acquired Organization?s employees.
P2020-ND-063

King Defence

On Monday March 23, an employee with the Organization went to the courthouse to meet with the friend of a client, who had the client?s cellphone. Due to Covid-19 concerns, the employee placed the cellphone in a plastic bag and put the bag in the centre console of his vehicle. The employee did not return to the office to review the contents of the cellphone as staff were working from home during the coronavirus outbreak. …
P2020-ND-062

Lorne Steinberg Wealth Management Inc.

In late November 2019, the Organization and forensic IT experts identified suspicious activity with respect to two email accounts. The Organization determined that an unknown external actor gained access to the email accounts in late September 2019 and appeared to have forwarded emails from these accounts to illegitimate email accounts for the purpose of attempting wire fraud. The Organization does not currently have any evidence that the external actor was successful in its wire fraud …
P2020-ND-061

Mountain Equipment Co-op

Between October 13-28, 2019, the Organization ran a pilot marketing campaign. The Organization sent the personal information at issue to Facebook to use for the marketing campaign. On January 28, 2020, two members complained to the Organization?s Privacy Office about the information being shared with Facebook. The Organization realized it did not get consent from members to disclose the personal information and requested that all member information associated with the October marketing pilot be permanently …
P2020-ND-060

Servus Credit Union Ltd.

On January 14, 2020, an email containing mortgage renewal documents for an individual was sent to an unknown recipient with a name similar to the individual. The incident was discovered when the member contacted the Organization asking about the status of the email.
P2020-ND-059

Avenue Living Communities Ltd.

On December 17, 2019, the Organization became aware that an unknown and unauthorized actor had altered an employee’s email account settings to automatically forward all incoming emails to an unrecognized email address. The Organization determined that all emails received by the employee on or after October 23, 2019 until December 17, 2019 had been automatically forwarded to the unrecognized email address. The total number of emails forwarded totalled 3,667. The Organization reviewed each of the …
P2020-ND-058

Investors Group Financial Services Inc.

On December 16, 2019, while the Organization?s clients were on vacation, a hacker gained access to the clients? (husband and wife) email account and then proceeded to pose as the wife and called the Organization?s consultant to request the clients? statements. Upon receiving this request, the Consultant provided a copy of the statements (one for the husband’s account, and one for the wife’s account) to the hacker. On December 17, 2019, the hacker emailed the …
P2020-ND-057

ATB Financial

On January 13, 2020, a team member?s vehicle was stolen. A laptop, along with paper mortgage application documents, was in the vehicle. The theft was reported to the Organization?s information security team on the same day. The laptop has various security controls, including full disk encryption when powered off.
P2020-ND-056

Lightspeed Technologies, Inc.

On January 14, 2020, customers of the Organization reported receiving spoofed emails attempting to change the account information used for remitting payment to the Organization. An investigation found that an unauthorized party accessed email accounts at different periods between August 19 and August 22, 2019, and between September 20, 2019 and September 23, 2019. The investigation was not able to conclusively determine which emails or attachments were viewed by the unauthorized party. On January 14, …
P2020-ND-055

Attia Law Group

On March 5, 2020, a lawyer with the Organization lost a binder in the Edmonton Provincial Courthouse. The binder contained criminal disclosure documentation with respect to four co-accused persons.
P2020-ND-054

Flexiti Financial Inc.

On December 28, 2019, the Organization received an email from someone purporting to be a hacker and claiming to have encrypted files, and deleted/encrypted backups. The hacker demanded a ransom in exchange for the code to unlock the encrypted back up files, and also claimed to have stolen the Organization?s database. The hacker threatened to release the information in unencrypted form if the ransom was not paid. The Organization did not pay the ransom, but …
P2020-ND-053

Synergen Housing Corporation Ltd.

On December 13, 2019, Board of Directors meeting minutes were distributed to members of the Organization. Personal information contained in the minutes was not redacted before the minutes were sent to the members. The incident was discovered on December 15, 2019, when a member noticed the personal information and notified the President of the Board of Directors.
P2020-ND-052

Solium Capital UI-C

The Organization reported that one of its contracted service providers, TSGI Corporation, determined that a former employee had surreptitiously and unlawfully downloaded data to a remote server during his short-term employment from January 31-February 27, 2019. The data included some confidential information about the Organization?s current and former employees. The service provider first informed the Organization about the breach on February 26, 2019 and on March 6, 2019 confirmed that the Organization?s data was among …
P2020-ND-051

ATB Financial

On November 10, 2019, the Organization?s location in Peers, Alberta was broken into and a safe was stolen. The RCMP were contacted and attended the scene. To date the contents of the safe have not been recovered.
P2020-ND-050

Master-Bilt Refrigeration Solutions

The Organization learned that a number of spam emails had been sent from an employee’s account. An investigation determined that an unauthorized person accessed the account between July 10-11, 2019. The investigation was unable to determine which specific emails or attachments, if any, were viewed by the unauthorized individual. On November 7, 2019, the Organization determined that the unauthorized individual accessed the personal information of one Alberta resident.
P2020-ND-049

Combined Insurance Company of America

The Organization takes electronic insurance policy applications from consumers in the normal course of business. Typically, an agent will meet with a consumer to complete an application, including a needs analysis. Information is uploaded to the Organization?s e-Agent platform. In September 2019, as part of a routine compliance audit, staff noticed 3 instances where the name on the needs analysis document did not match the name on other policy documents. Further investigation found that if …
P2020-ND-048

Canadian Physiotherapy Association

On October 24, 2019, the Organization learned that it was the victim of a social engineering and phishing attack when a vendor followed up regarding payment of an invoice. The Organization discovered a wire transfer had been made to a threat actor posing as the vendor. On November 21, 2019, following an investigation, the Organization learned that there had been an intrusion into two employee inboxes. The suspected point of entry was a phishing email …
P2020-ND-047

iA Financial Group

On February 20, 2020, a vehicle belonging to an insurance agent working with the Organization was broken into. A laptop that stored client information was stolen. The breach was reported to the Organization on February 21, 2020.
P2020-ND-046

Grape Holding, NV

On March 5, 2020, an unauthorized user accessed the Organization?s reservation portfolios on a third party system. The incident was discovered on March 7, 2020, when the host of the third party reservation system informed the Organization that it had detected an unauthorized user. Forensic experts determined that the incident was a single occurrence.
P2020-ND-045

London Life Insurance Company

On April 9, 2019, a completed insurance application was mailed from an advisor’s office in Edson to the Organization?s Financial Centre in Edmonton. The application was sent by regular Canada Post mail rather than courier (tracked/signature required). The Financial Centre did not receive the application. The incident was discovered on May 22, 2019 when the advisor followed up regarding the underwriting of the policy and there was no record of the application being submitted.
P2020-ND-044

Servus Credit Union Ltd.

On May 24, 2019, an employee of the Organization verbally disclosed information about a loan application to an individual’s adult son in error. Both individuals have the same first and last name. The employee who made the disclosure realized the error on May 27, 2019 when speaking with other branch employees after the individual telephoned looking for an update to the loan application.
P2020-ND-043

ivari

On April 17, 2019, an insurance advisor’s car was broken into and a laptop was stolen. The information at issue was stored on the laptop. The incident was discovered the same day. The laptop was password protected.
P2020-ND-042

Carly Buffalo RMT

On April 25, 2019, a home/office was broken into and a laptop containing the information at issue was stolen. The breach was discovered the same day. A suspect has been identified and charged for the break and enter. The laptop has not been recovered.
P2020-ND-041

TrueFire LLC

On January 10, 2020, the Organization discovered that an unauthorized person gained access to its computer system and website (TrueFire.com). The Organization reported that ?? it appears that the unauthorized person could have accessed the data of consumers who made payment card purchases while that data was being entered on the Website, between August 3, 2019 and January 14, 2020.?
P2020-ND-040

Co-operators General Insurance Company

On July 4, 2019, during a claim investigation process, the Organization?s claims representative provided the information at issue (license status) to the parent of a child injured in a claim involving a client?s son (the vehicle operator). The incident was discovered on July 5, 2019 when both of the vehicle operator?s parents contacted the Organization to complain about the disclosure. The father of the injured individual took to social media bullying the operator of the …
P2020-ND-039

Web.com Group, Inc.

On October 16, 2019, the Organization became aware that a third-party might have gained unauthorized access to a limited number of its computer systems in late August 2019, and, as a result, account information may have been compromised. The Organization reported that access was facilitated via two externally facing servers that were compromised through a web-enabled application vulnerability and a deprecated user credential. The accessed computer systems also included Web.com’s retail domain registrars, Network Solutions, …
P2020-ND-038

Master Paints Institute (MPI) Canada, Inc.

On November 14, 2019, the Organization discovered a vulnerability in the shopping cart function on its website that allowed an unauthorized user to record information in the shopping cart. The incident was discovered by a consumer using the site, who reported it to the Organization. The Organization reported that an unauthorized individual or group extracted personal information by executing a vulnerability in the code of the third party used for the shopping cart function. The …
P2020-ND-037

Mosaic Primary Care Network

An employee?s email account was compromised and used to impersonate an external software vendor. As a result, a payment sent from the Organization to the vendor was sent to a fraudulent bank account. The breach was discovered on December 10, 2019 when the Organization?s employee informed the IT department of suspicious activity. The IT department identified that the user?s password was likely compromised through phishing. The cyber-attack was found to have exposed the MS 365 …
P2020-ND-036

LifeLabs Inc.

A cyber attack involving unauthorised access to two web servers and two databases occurred. The incident was discovered on October 28, 2019. The Organization engaged cyber security experts to isolate and secure the affected systems and determine the scope of the breach.
P2020-ND-035

Chamberlain Group, Inc.

On April 28, 2019, the Organization discovered that a call center employee had not followed mandated security procedures when handling customer payment card information. Upon notification from law enforcement that the employee had apparently misused the payment card information of other individuals, the Organization investigated. The investigation found that the employee had collected personal information from some Alberta residents between November 2, 2018 through April 24, 2019. The Organization found no information indicating that the …
P2020-ND-034

SkipTheDishes Restaurant Services Inc.

In mid-2019, the Organization?s customer service department noticed an increased in ?account takeover? complaints from consumers. These complaints involved concerns that unauthorized orders were being placed in customer accounts. The Organization investigated and found the account takeovers occurred as a result of individuals having lost control of their passwords through a combination of many factors. The Organization did not uncover a failure of security safeguards under the Organization?s control or a compromise of its systems. …
P2020-ND-033

Guardian Law Group LLP

On November 13, 2019, the Organization was contacted by another law firm who reported it had received a suspicious email that appeared to have been sent from the Organization. The email was sent from an address that was the actual email address of an employee of the Organization who was on vacation at the time. The Organization investigated and found that ?spam emails? had been sent from an Organization email account. The Organization was contacted …
P2020-ND-032

Parvus Therapeutics Inc.

On November 19, 2019, a consultant who provides human resource services to the Organization was targeted with a phishing email from an unauthorized account. The email requested the consultant provide certain human resource information about employees of the Organization. The consultant did not identify the email as a phishing request and, on November 20, 2019, and responded to it, disclosing the personal information at issue. The breach was discovered the same day. The Organization is …
P2020-ND-031

Lethbridge Community Out of School Association

An employee of the Organization was on a short term leave and the Organization was looking for documents stored on the employee?s computer. The Organization?s HR department accessed the computer to search for the documents, and could see the employee?s recently opened files. The files were confidential and included personal information or individually identifying health information. The Organization reported the breach occurred between September 3-8, 2019 and was discovered on September 12, 2019.
P2020-ND-030

Sprott Money Ltd.

The Organization?s website Sprottmoney.com was compromised as a result of malicious code uploaded by an unauthorized third party. The breach occurred on November 1, 2019 and was discovered on November 7, 2019.
P2020-ND-029

The Canada Life Assurance Company

On November 4, 2019, the Organization contacted a residential tenant regarding her parking rent. The individual advised the Organization that she had personally delivered the documents to the Organization?s office on October 18, 2019. The Organization searched for the documents but has been unable to locate them.
P2020-ND-028

Syncrude Canada Inc.

On April 29, 2019, an employee who was ill was assessed by a nurse on-site and sent home. The employee mentioned that his work area may need to be inspected and cleaned. The nurse spoke with the employee?s leader about cleaning and sanitizing the work area. The leader shared with the acting leading in the work area that the employee was ill, sent home and the illness might be related to contamination in the work …
P2020-ND-027

News America Marketing Digital LLC

The Organization learned an unauthorized third party attempted to gain access to Checkout 51 accounts via the Checkout 51 login application programming interface (API) between July 6 – 12, 2019. Based on the Organization?s investigation, the incident did not arise from a breach of the Organization?s security safeguards; rather, the breach was caused by the reuse of usernames and passwords by users that may have been obtained by previous third party hacking incidents.
P2020-ND-026

Association of Professional Engineers and Geoscientists of Alberta

On June 6, 2019, an employee?s email/laptop was accessed without authorization ?resulting in a virus containing email being sent from that individual?. Phishing emails were received by staff and individuals in the employee?s address book. The breach was discovered the same day when the emails were recognized as not being ?real?, and the issue was reported to IT services.
P2020-ND-025

PAR Technology Corporation

On or about May 31, 2019, the Organization was alerted to suspicious activity within an employee’s email account. The Organization immediately launched an investigation with the assistance of a third-party forensic firm, to determine the nature and scope of the activity. The investigation found that 11 employee email accounts were accessed without authorization between April 19, 2019 and June 20, 2019.
P2020-ND-024

StockX LLC

On July 26, 2019, the Organization was alerted to suspicious activity potentially involving customer data. The Organization investigated and engaged third party experts to assist. The investigation found that an unknown third party had been able to gain unauthorized access to certain customer data from the Organization?s cloud environment on or around May 14, 2019.
P2020-ND-023

Economical Mutual Insurance Company

On October 14, 2019, an independent insurance claims adjusting firm engaged by the Organization to adjust property claims for its policyholders had a break-in and several computers were stolen from its offices. The information on the computers was encrypted and protected by passwords. However, the Organization reported that a thief may have had access to the encryption password for one of the computers. The Organization reported that it has no indication that the theft was …
P2020-ND-022

Koff Productions

On February 3, 2020, the OIPC received an email from an employee of another provincial government stating he had discovered driver?s licenses of Albertans on the internet. The OIPC confirmed the report and contacted the Organization (Treehousecult.com) on February 6, 2020 to notify it of the incident. In its report of the incident to the OIPC, the Organization said that the permissions on a web server were not private. The Organization also reported the incident …
P2020-ND-021

National Baseball Hall of Fame and Museum

An unauthorized third party injected malicious code into the Organization?s web store. The code was removed as soon as it was discovered but could have been able to collect information that customers entered on the web store?s check-out page while it was active. Purchases made via the web store between November 15, 2018 and May 14, 2019 may be affected.
P2020-ND-020

Skip The Dishes Restaurant Services Inc.

Unknown individual(s) used credential stuffing to gain access to the Organization?s courier accounts accessible through its ?Courier Portal?. “Credential Stuffing” is the process by which an attacker steals or purchases username and password combinations (possibly on the dark web) and enters those credentials on websites to see if they can gain access. The incident occurred on July 11, 2019 and was discovered the same day when the Organization?s security operations team detected an unusually high …
P2020-ND-019

RBC Life Insurance Company

On June 26, 2018, the Organization emailed a claimant?s letter to the claimant?s employer in error. The letter was addressed to the claimant and contained personal and health information about the claimant. The employer contacted the Organization on June 28, 2018 to report the error. The employer agreed to delete the email and confirmed that it did not save a copy of the letter.
P2020-ND-018

Health Standards Organization (HSO) and Accreditation Canada (AC)

On June 21, 2019, the Organization became aware of a potential malware incident which impacted its IT systems. The incident was later determined to have been caused by the “Ryuk” ransomware that encrypts all data on the infected servers rendering it inaccessible/unreadable until a ransom is paid. The Organization?s investigation did not find any evidence of any information disclosure resulting from the incident, which is consistent with the fact that the Ryuk ransomware is not …
P2020-ND-017

PetroChina Canada Ltd.

Malware (Emotet) was discovered on an end user laptop. The Organization reported the breach occurred on September 23, 2019 and was discovered September 24, 2019 when data communications from the end user laptop matching known Emotet control characteristics were detected by a cybersecurity system. This system alerted the Organization?s Canada Cybersecurity Specialist to the detection.
P2020-ND-016

Quarterhill Inc.

An employee responsible for Human Resource functions used a corporate owned laptop to access a file on the laptop in cloud storage containing personal information of current and former employees and directors. Due to the settings on the laptop, the file synced to the laptop’s hard drive. On August 29, 2019 at approximately 1:00 pm local time, an individual entered the Organization?s Kitchener, Ontario premises through an unlocked door and stole the laptop and one …
P2020-ND-015

Kearns, Brinen & Monaghan

Two employees received a phishing email with a hyperlink. The employees clicked on the link, which took them to a site that looked like a genuine site. Each of the employees entered their credentials into the site. Once the threat actor had the credentials, he accessed the employees’ emails and set up a forwarding rule. The Organization reported the breach occurred on October 15, 2018 and was discovered on July 15, 2019 when suspicious activity …
P2020-ND-014

First National Financial LP

The account credentials of an employee of the Organization were compromised during a credential harvesting phishing attack against the employee on August 26, 2019. These credentials were used by an unidentified party to gain unauthorized access to the employee’s mailbox between August 30, 2019 and September 17, 2019. The unidentified third party had access to customer data contained within the email mailbox. There is no evidence the data was actually accessed or exfiltrated but this …
P2020-ND-013

Leafly Holdings, Inc.

On September 30, 2019, the Organization was contacted by a security researcher who advised that he had obtained a set of the Organization?s user records. The Organization investigated and found that the records were from a legacy database that was last updated in July 2016. This database was separate from the Organization?s production database, and has since been decommissioned.
P2020-ND-012

OrthoAccel Technologies, Inc.

On or about January 14, 2019, the Organization became aware of suspicious activity relating to certain employee email accounts. On January 28, 2019, the Organization?s investigation confirmed one of its email account users was the victim of a phishing event that resulted in unauthorized access to their email account on separate occasions between December 6, 2018 and January 14, 2019. On February 4, 2019, the investigation confirmed two additional email account users were subject to …
P2020-ND-011

Omista Credit Union Limited

On May 29, 2019, the Organization was made aware of an email phishing incident that affected a number of its employees. In particular, an employee mistakenly clicked on a malicious link after receiving a phishing email, which resulted in unauthorized access to the employee’s email account by an unknown third party or parties. As a result, unauthorized access to personal information belonging to the Organization?s members and non-members, which was stored in the employee’s email …
P2020-ND-010

The Driving Force Inc.

On September 3, 2019, the Organization discovered that, due to a phishing scheme, an unauthorized third party gained access to the Outlook mailbox of one of its vehicle rental agents working out of Kelowna, British Columbia. The Organization has not been able to determine the identity of the third party or whether any specific information within the account was actually accessed or downloaded. The breach was discovered by the Organization’s IT department on September 3, …
P2020-ND-009

Servus Credit Union Ltd.

On October 7, 2019, an unauthorized individual was able to successfully access a member?s account. The incident occurred when online banking access was granted over the phone via poor authentication practice by an agent of the Organization, contrary to posted policy. The incident was discovered the same day, when the unauthorized individual contacted the Organization again and spoke to a different agent who refused access and contacted Corporate Security. No funds were lost as all …
P2020-ND-008

Beakerhead Creative Society

The Organization maintains several email distribution lists for purposes which include promoting the Organization?s annual festival. The email distribution list is managed through a third party, online email management service provider (the Service), which requires users to login to an account using a username and password. Once logged in, a user can access, export, and download a spreadsheet of a specific email distribution list from the Service. On the afternoon of October 1, 2019, the …
P2020-ND-007

Eye Safety Systems, Inc.

On July 16, 2019, a third-party developer reported unusual activity in email logs and determined that emails had been sent from the server hosting the Organization?s website, to an unauthorized email address. The Organization investigated and concluded that an unauthorized individual or group extracted personal information by executing a vulnerability in the website code. The unauthorized person was able to obtain the information starting on or around November 21, 2017, and ending on July 16, …
P2020-ND-006

Rifco National Auto Finance

On September 13, 2019, an employee was conversing by email with a customer, and inadvertently used the ongoing email string in an email to a different customer. The incident was discovered on October 21, 2019 when it was reported by the unintended recipient, who also provided a copy of the email at issue to the Organization.
P2020-ND-005

Manufacturers Life Insurance Company of Canada

Internal forensic investigation found evidence of anomalous activity on the Organization?s Group Retirement business’s Plan Member website on September 27, 2019. The activity appears to be the result of common password trial and error, leveraging personal information already in the possession of the perpetrator(s). The Organization?s investigation suggests a manual, “hands on” fraud effort. The breach was discovered on October 9, 2019 when a plan member called to report unusual on line account activity.
P2020-ND-004

Feld Entertainment, Inc.

The Organization learned of suspicious activity involving certain employee email accounts related to a phishing scam. The Organization?s investigation confirmed unauthorized access to certain employee accounts on separate occasions between November 14, 2018 and January 25, 2019. The Organization has no evidence of any actual or attempted misuse of the personal information within the affected email accounts.
P2020-ND-003

Employer’s Resource Council

On or about February 21, 2019, the Organization became aware of suspicious activity relating to two of its employees’ email accounts. On April 2, 2019, the Organization determined that an unauthorized actor accessed the impacted accounts on February 21, 2019. On June 28, 2019, the Organization determined that personal information relating to a Canadian resident was potentially affected.
P2020-ND-002

Carl’s Golfland

On March 25, 2019, a webshell was inserted into the Organization?s website through a vulnerability and brute force attack. Customers who made online purchases between the dates of March 25 through July 14, 2019 were affected. The breach was discovered on July 14, 2019 as the result of a bank inquiry.
P2020-ND-001

Industrial Alliance Insurance and Financial Services Inc.

On June 20, 2019, the email account of a representative of the Organization was accessed as the result of a phishing incident. The hacker accessed the email box again on July 17, 2019, including all emails in the email box and the personal information in the emails. The incident was discovered on July 17, 2019, when some of the Organization?s employees received phishing e-mails and informed IT services.
P2019-ND-208

Mountain Equipment Coop

The Organization?s online ecommerce platform was attacked with a botnet between the period of July 23-August 8. The botnet was doing a credential stuffing attack and attempting to use stolen credentials to log into mec.ca. Some of the credentials belonged to members and so the bot was successful at logging into 2,335 member online accounts. The breach was discovered on August 1, 2019 through log reviews by the Organization?s ecommerce team.
P2019-ND-207

Independent Counselling Enterprises Inc.

On August 13, 2019, a support worker was in possession of a document that contained the information at issue. The document was left in an envelope in the worker’s vehicle. The vehicle was subsequently broken into and the envelope and the document were stolen from the vehicle. The incident was discovered the same day.
P2019-ND-206

91911712 Canada Inc., dba Mortgage Alliance “Mortgages Are Marvellous”

On July 22, 2019, the personal information at issue was made visible in a closed Facebook group that was set up for mortgage broker business and underwriting tips. A single picture showing 9 documents was posted for about 15 minutes, before being withdrawn.The incident was discovered on August 20, 2019 after a third party provided a screen capture of the information to the Real Estate Council of Alberta.
P2019-ND-205

HomeStars, Inc.

On September 30, 2019, the Organization discovered unauthorized activity that may have resulted in unauthorized access to one of the Organization?s servers. The Organization?s investigation determined that the unauthorized activity began on September 28, 2019 and continued at least until October 2, 2019. The incident occurred as a result of the unauthorized user exploiting a vulnerability in an open source data structure store, which was then used to access the affected underlying staging server by …
P2019-ND-204

McNeill, Lalonde & Associates

On February 25, 2019, the Organization learned that an employee had been charged with fraud. The Organization reported is ??concerned that the [employee] improperly collected, used and/or disclosed certain personal information that in the course of her employment?. The Organization reported it does not know if any personal information of three Alberta-based employees was compromised, but it has evidence that a Vancouver-based employee?s personal information was compromised.
P2019-ND-203

Zedi Canada Inc.

The Organization engaged a tax consulting service provider.The Organization reported that, on February 27, 2019, its service provider determined that a former employee had surreptitiously and unlawfully downloaded data, some of which contained confidential information on the Organization?s current and former employees, to a remote server during his short-term employment from January 28, 2019 to February 20, 2019. The service provider informed the Organization about the breach on March 14, 2019. The service provider?s former …
P2019-ND-202

Heart and Stroke Foundation of Canada

On February 4, 2019, it was brought to a user?s attention that the user?s email account had been used to send emails that appeared to be suspicious. Internal IT and outside consultants determined that someone unknown had accessed the user?s email account and used it to send emails with a fraudulent purpose. No evidence of data exfiltration or any other access to the Organization?s resources were found. The investigation revealed a number of suspicious logins …
P2019-ND-201

ABCU Credit Union Ltd.

On March 7, 2019, the Organization mailed a draft to an address in Toronto. On March 15, 2019, the Organization was informed an envelope containing the draft was found in the back of a courtesy vehicle returned to a dealer in Alberta. The Organization retrieved the envelope and found it had been torn open, although it contained the draft that was mailed. The Organization has confirmed that the envelope was addressed correctly, and does not …
P2019-ND-200

Moodys Gartner Tax Law LLP

In the early morning hours of April 22, 2019, thieves entered the Organization?s office building in Calgary and stole a number of items. On April 23, 2019, an assistant who had been absent on April 22, discovered that a duffel bag containing some personal tax information for a client was missing. A search of the office failed to locate the duffel bag.
P2019-ND-199

SGI Canada Insurance Services Ltd.

On April 3, 2019 a customer of the Organization met with an adjuster from an independent adjusting firm, to provide a statement regarding an auto insurance claim file. The Organization engaged the services of an independent adjuster for this task. On April 9, 2019 the independent adjuster had her vehicle parked at a business in Calgary. The vehicle was broken into and her briefcase was stolen from the locked trunk of the car, either on …
P2019-ND-198

Citrix Systems Canada Inc.

On March 6, 2019, the FBI informed the Organization that the FBI had reason to believe that international cyber criminals gained access to the Organization?s internal network. The Organization believes that the cyber criminals had intermittent network access between October 13, 2018 and March 8, 2019, and that they removed files from the Organization?s internal systems during that time period.
P2019-ND-197

SNC-Lavalin Inc.

On September 3, 2019, the Organization discovered that an unknown and unauthorized third party had tried accessing user accounts on August 19, August 27 and September 3, and had gained access to the mailbox of one employee, which contained personal information. The Organization reported ?Although we cannot be completely certain that the content of the mailbox has been duplicated or exfiltrated, the attacker had the time and the means to do it?. The breach was …
P2019-ND-196

Young Women’s Christian Association of Banff

On March 30, 2019, a client’s file was lost after a staff member was updating the file. The Organization believes the file may have been shredded or recycled along with other papers that were discarded on the same date. The breach was discovered on April 10, 2019 when the Manager of Programs and Services was updating department statistics and could not find the file.
P2019-ND-195

Lancaster Archery Supply, Inc.

On April 3, 2019, the Organization became aware that certain payment card information used at www.lancasterarchery.com and www.lancasterarcherydealer.com may have been compromised from July 4, 2018 through February 8, 2019, February 11, 2019 through February 14, 2019, and on February 16, 2019. The incident was discovered when the Organization received a report of unusual card activity from its credit card processor.
P2019-ND-194

Standard Nutrition Canada Co., owned by Sollio Agriculture, a division of La Coop federee

On April 6, 2019, an employee’s email account was accessed by an unauthorized individual through a phishing scam asking for login credentials. The email account was then used to send similar phishing messages to other employee accounts on April 9, 2019. As a result, two other employee email accounts were accessed by an unauthorized individual. These accounts were blocked quickly enough they were not used to send phishing messages. Only one of the email accounts …
P2019-ND-193

Vitalize, LLC

In February 2019, the Organization became aware of a data security incident involving unauthorized access to its systems. The Organization?s investigation traced the unauthorized activity to a phishing email received in July 2018. The investigation also determined that some data was removed from the Organization?s systems, but the nature of the files taken is unknown.
P2019-ND-192

Tacony Corporation

On March 12, 2019, the Organization confirmed that code inserted into its online store, www.amazingdesigns.com, was capable of capturing customer payment card information entered between June 7, 2018 and February 4, 2019. The code was removed.
P2019-ND-191

Emco Corporation

On February 27, 2019, the email account of an employee was accessed by an unauthorized individual. The employee’s password was changed (by the employee) on February 28, 2019 and the account was not re-accessed by any unauthorized individual thereafter. The Organization has no knowledge of any of the employee’s emails having been accessed and it is not clear whether the unauthorized individual did anything in the account. On March 19, 2019, the email account of …
P2019-ND-190

Cervus Equipment Corporation

On February 8, 2019, the Organization was alerted to a potential unauthorized breach of an employee’s email account. An unidentified third party enabled an email forwarding rule, which enabled incoming mail to be surreptitiously forwarded to the unauthorized party’s email account between the period of November 12, 2018 – February 8, 2019. A portion of the emails that are believed to have been forwarded contained personal information belonging to a number of current and former …
P2019-ND-189

Haws Corporation

On March 1, the Organization experienced a ransomware attack. The breach was discovered the same day when employees were unable to access their systems. The Organization immediately engaged computer experts to determine what the impact was to the system and to negotiate with the threat actor. A forensic investigation was completed on or about March 26, 2019, but was unable to conclude whether sensitive personal information was accessed by the threat actor.
P2019-ND-188

Teck Resources Limited

On March 20, 2019, the Organization was advised by a job candidate that he was able to access not only his online profile but also an internal document which included recruiter notes from his own interview as well as interview notes for others. The incident occurred sometime between February 20, 2019 and March 20, 2019. The breach was due to human error. A recruiter scanned six sets of interview notes and a resume, saved them …
P2019-ND-187

Microsoft Corporation

On March 30, 2019, the Organization received an external report about a person online selling access to the Organization?s consumer Outlook.com email accounts. The Organization investigated and confirmed that the seller was providing valid credentialed access to an internal support tool. The credentials were from a call centre support supervisor who worked for the Moroccan office of a company providing customer support services to the Organization. The supervisor had, against policy, given credentialed access directly …
P2019-ND-186

Servus Credit Union Ltd.

On August 1, 2019, an unauthorized individual was able to successfully access a member?s account. The incident occurred when online banking access was granted over the phone via poor authentication practice by an agent of the Organization, contrary to posted policy. The incident was discovered on August 2, 2019 when the unauthorized individual contacted the Organization again and spoke to a different agent who refused access, cancelled online banking, and contacted Corporate Security. The breach …
P2019-ND-185

Trusted Tours & Attractions, LLC

On June 25, 2019, the Organization investigated after being alerted to potential fraudulent activity occurring on payment cards that were used on its website, trustedtours.com. The investigation found that an unauthorized person added unauthorized code on the website so that payment card information entered by purchasers was copied and sent to an external location. The unauthorized code was present and active on the site between March 24, 2019 and June 27, 2019.
P2019-ND-184

Dawn Food Products (Canada) Ltd.

In or around September 2018, an outside individual sent emails to a few of the Organization?s employees soliciting their login information to the Organization?s email system. The individual appears to have been able to use the login information to gain unauthorized access to the employees’ mailboxes. On approximately April 5, 2019, the Organization determined that these mailboxes contained certain information about a limited number of employees, customers and other individuals, and investigated further to confirm …
P2019-ND-183

Fossil Group, lnc.

The Organization reported it believes an unauthorized third party placed malicious-code on its Misfit.com website, enabling an unauthorized party to obtain certain information pertaining to website users. The Organization reported the breach occurred on May 14, 2019. It was discovered on June 18, 2019 by a security researcher who alerted the Organization that an unauthorized third party may have obtained certain information pertaining to website users.
P2019-ND-182

Children’s Wish Foundation of Canada

On May 6, 2019, an HR employee clicked a malicious link included in an email asking her to modify her Office365 password. The employee immediately alerted the Organization?s IT department and changed her password. No abnormal activity was detected by the IT department until May 23, when it noticed the existence of an unauthorized log from Bulgaria dated May 1 and from Turkey dated May 3. The Organization investigated, contacted Microsoft and retained a forensic …
P2019-ND-181

Zynga Game Ireland Limited

On September 2, 2019, the Organization discovered that certain player account information may have been illegally accessed by outside hackers on or about August 31, 2019. The games, group of games, and data sources affected were: Draw Something (formerly OMGPOP); Poker; Games with Friends; and one additional table that is not tied to a particular game. The Organization does not believe that any financial information was accessed.
P2019-ND-180

Liberty Law

The Organization was acting as legal counsel in disciplinary hearings before a Professional College (College). On October 9, 2019, a lawyer with the Organization printed several hundred pages of records containing personal health information related to the disciplinary hearings. Due to a printing problem, a number of these documents were discarded in the Organization?s recycle bin, instead of the secure shredding box. On October 10, 2019, the Organization was advised by the College that an …
P2019-ND-179

Discovery Communications, LLC

The Organization uses a cloud-based platform to store and exchange certain corporate information. On March 9, 2019, it learned from a third party that certain folders stored in the platform had been shared by staff with external business partners in such a way that the folders and the files within the folders could potentially be accessed by other parties. The next morning, the Organization reconfigured the access settings to these folders to remediate the issue. …
P2019-ND-178

Zero Technologies, LLC d/b/a Zero Water

The Organization received a report of unusual card activity from its credit card processor. The Organization investigated, and determined that a vulnerability existed on its website that would permit access to certain customer payment card information if the vulnerability was exploited. On or around May 24, 2019, the investigation determined that there was evidence that the vulnerability was exploited and that there was unauthorized access to payment card information.
P2019-ND-177

The Great-West Life Assurance Company

On March 27, 2019, due to an administrative error, a group plan member received a mailed letter addressed to him, which also contained a copy of a letter intended for a different member. The unintended recipient and the affected individual are co-workers who are members of the same group plan. The letter received by the unintended recipient contained information regarding the affected individual’s application for short term disability benefits. The breach was discovered on April …
P2019-ND-176

Conde Nast

Between April 14, 2019, and April 17, 2019, an unauthorized person(s) gained access to certain systems of the third-party vendor that maintains and operates certain subscription pages for the Organization and was able to modify certain subscription pages to acquire transaction information. The Organization first learned of a potential incident on April 17, 2019, when a third-party provider of advertising services informed it that there was a policy violation/malvertising on a subscription page. The vulnerabilities …
P2019-ND-175

A.T. Cross Company

In May 2019, the Organization received reports from certain customers that the checkout page of its website was behaving abnormally. On or around June 3, 2019, an investigation confirmed that information provided for purchases on the website between May 9 and May 14, 2019 was potentially subject to unauthorized acquisition.
P2019-ND-174

Servus Credit Union Ltd.

On June 18, 2019, an impersonator was able to successfully access a member?s account by successfully answering authentication questions from two (2) different call centre agents. The breach was discovered the same day when the actual member contacted the Organization regarding an unauthorized e-transfer and spoke to the call centre agent who had just reset online access for the impersonator.
P2019-ND-173

EMC Business Solutions LLP

On February 23, 2019, the Organization learned that it was the victim of a malware attack on its ecommerce website. An investigation determined that a keylogger was installed from January 10 to February 23, 2019. During this period, the keylogger had the ability to capture all keystrokes entered by individuals completing a transaction on the website. The incident was discovered on February 21, 2019, when the Organization?s IT discovered evidence of a malicious URL. The …
P2019-ND-172

HP Restaurant Group

On or about April 5, 2019, the Organization was notified of suspicious activity regarding its online payment processing platform. On or about April 29, 2019, an investigation determined it was possible that customer credit and debit card information for transactions that occurred on the Organization?s ecommerce gift card website since 2011 may have been subject to unauthorized access and/or acquisition.
P2019-ND-171

American Rental Association

On March 19, 2019, the Organization discovered that between the period of June 14, 2018 and March 19, 2019, malicious code was present on its website that scraped certain personal information from the site. The breach was discovered when an outside source reported an irregularity to the Organization.
P2019-ND-170

National Wildlife Federation

On or about April 25, 2019, the Organization identified signs that a back-end database hosted by a third-party vendor that contained customer information was accessed without authorization. The Organization?s investigation found the back-end database was accessed on or around January 3, 2019. The database involved was used to maintain customer information to assist with processing of payments and fulfilment of customer orders.
P2019-ND-169

Premiere Suites

On or around May 30, 2019, one of the Organization?s laptop computers was stolen. Despite company policy to the contrary, credit card information was stored on the hard drive. As a result, the data contained on the hard drive might have been accessible to the public. The incident was reported on May 31, 2019, and the account was frozen early in the morning of Saturday, June 1.
P2019-ND-168

T3 Micro, Inc.

On or about March 14, 2019, the Organization began investigating suspicious activity occurring on its online ecommerce website. On May 03, 2019, the investigation determined that the Organization was the victim of a cyber-attack that may have resulted in a compromise to some of its customers’ credit and debit cards used to make purchases on its ecommerce website between July 13, 2018 and March 17, 2019.
P2019-ND-167

eHarmony, Inc.

On May 21, 2019 an analyst with the Organization was monitoring social media and found a YouTube video that had been uploaded by an unknown third party and which displayed a list of the Organization?s accounts. In the YouTube video, the third party is seen to be advertising a software tool that is used to test lists of user account credentials, in order to identify accounts susceptible to being compromised. The Organization commenced an internal …
P2019-ND-166

Canadian Tire Corporation

The Organization reported that a threat actor used credentials compromised in previous breaches from unrelated third party companies to gain access to accounts of users who use the same credentials with the Organization. The breach occurred between May 17 – 27, 2019, and was discovered on May 17, 2019 when IT Security identified unusual activity occurring on the Organization?s authentication API.
P2019-ND-165

Stuart Olson Inc., and its subsidiary Canem Systems Ltd.

On March 10, 2019, the Organization experienced an encrypted ransomware attack that affected access to a majority of the Organization?s IT systems and internal servers. The attacker demanded payment of a ransom in exchange for restored access to these systems. The incident was discovered the same day by staff investigating a help desk ticket related to email performance. The Organization?s investigation has not found any evidence to indicate there was any exfiltration of personal information, …
P2019-ND-164

Amsterdam Printing & Litho

On February 13, 2019, the Organization detected a possible security incident involving its website. On April 16, 2019, the investigation determined that payment card information for customers who used its website between February 1 and 13, 2019 may have been acquired without authorization.
P2019-ND-163

The Guarantee Company of North America

The Organization learned that on February 27, 2019, one of its employee email accounts was accessed by an unauthorized individual and used to send phishing emails from the account. The incident affected one email account, which was accessed for approximately five hours on February 27, 2019. No other employee accounts were affected. The cause of the incident was determined to be a phishing email that had been sent to the employee from a known and …
P2019-ND-162

IPC Investment Corporation

On May 2, 2019, an unauthorized sender caused a “phishing” email to be sent to email addresses from an Advisor’s contact list. The phishing email was written to trick recipients into providing payment in the form of Google Play cards. Responses were redirected to an alternate email and the owner of the account is not known. Some individuals who received the communication identified it as a phishing attempt and notified the Advisor’s office the same …
P2019-ND-161

Industrial Alliance Insurance and Financial Services Inc.

An employee of an agency of the Organization was the victim of a phishing incident in the fall of 2018. All the victims of this first incident resided in Quebec. After resetting his password, the employee inadvertently used his old password that had been the subject of the phishing incident. The hacker was again able to take control of the mailbox and had the opportunity to access all the emails in the employee?s mailbox and …
P2019-ND-160

Midnight Integrated Financial, Inc.

In early February 2019, an employee?s email account was compromised as a result of a phishing email. On March 1, 2019, the Organization?s external IT service provider emailed administration credentials to the employee that were then used by the unauthorized user on March 5, 2019 to delegate the inboxes of six (6) additional staff to the employee. The employee identified the issue and reported it to the Organization?s IT personnel. The inbox delegations were removed …
P2019-ND-159

RWH Travel Limited

On February 14, 2019, the Organization identified a security misconfiguration of an online portal used for internal administrative purposes. This resulted in some customer data potentially being accessible through online search engines when using specific search terms. The Organization estimates that that the earliest date from which some elements of the data was unsecured was February 1, 2016. The data was secured on February 15, 2019. The Organization reported that log information indicates the data …
P2019-ND-158

The Living Desert

On February 4, 2019, a computer forensics firm hired by the Organization reported that a limited number of the Organization?s employee email accounts may have been accessed without authorization, and certain accounts may have contained personal information. On February 13, 2019, the Organization engaged a document review vendor to search the contents of those email accounts for personal information. On March 6, 2019, the Organization learned that information of seventeen Canadians (including 4 Albertans) was …
P2019-ND-157

SGI Canada, as reported by S.J. Kernaghan Adjusters Ltd.

On April 9, 2019, an employee?s vehicle was broken into and a briefcase was stolen from the trunk. The briefcase had an insurance claim file inside with personal information of the insured.
P2019-ND-156

Trackside Physical Therapy

On July 2, 2019, the Organization discovered that a power surge damaged the clinic?s hard drive which contained client personal information. The back-up in place was not sufficient to recover the data. On July 3, 2019, the Organization took the hard drive to a local data recovery lab. The lab indicated that the unit was damaged, preventing normal operation of the device but suggested recovery might be possible, but the hard drive had to be …
P2019-ND-155

Financeit Canada

On August 26 and 27, 2019, an unauthorized third party accessed the Organization?s systems. The Organization investigated and determined a hacker logged into a merchant account on the Organization?s platform using valid login credentials. The hacker was able to exploit a vulnerability allowing them to gain access to personal information relating to loan applications for other merchants. The hacker did this by creating a script to export the personal information from the platform through a …
P2019-ND-154

LinkedIn Ireland

In 2012, the Organization experienced an incident involving unauthorized access to and disclosure of some members? passwords. At the time, the Organization believed that the hashed passwords of 15 million accounts may have been compromised. On May 18, 2016, the Organization became aware of the release of an additional set of data comprised of email addresses, member IDs, and hashed password combinations of more than 100 million members, which appeared to have been obtained from …
P2019-ND-153

Leduc Beaumont Family Physicians Group NPC

On June 7, 2017, an employee of the Organization emailed a memo to member physicians and their clinic managers (who are not the Organization?s employees) regarding a program change. The employee created the memo using a template. However, the employee did not realize that the template included several pages, and these other pages included the information about Organization staff salary increases. The incident was discovered when a recipient of the email notified the employee who …
P2019-ND-152

National Capital Poison Center

On October 21, 2017, the Organization discovered it had experienced a ransomware infection. The Organization?s investigation determined that unauthorized access to a database server occurred on October 21, 2017, and unauthorized access to the data stored on that server cannot be ruled out. The possibly affected database contains information that may have been provided during the Organization?s call centre calls.
P2019-ND-151

Primevest Equities Inc.

On July 28, 2017, the Organization was not able to access its file server. Later the same day, the Organization received an email saying that hackers had copied the Organization?s data and were demanding a ransom or the information would be released. The Organization disconnected the compromised server and contacted law enforcement. The file server contained mostly templates but did not contain client or employee data. The Organization reported ?The concern would be if they …
P2019-ND-150

Mercedes-Benz Financial Services Canada Corporation

On or about December 18, 2017, it was determined that a box containing paper copies of credit applications and customer contracts had gone missing during shipping to another company. The Organization investigated, but was unable to locate the box.
P2019-ND-149

Loblaw Companies Ltd.

The Organization launched a new loyalty program on February 1, 2018. After the launch, the Organization identified suspicious spikes in traffic. The first attack noted was on February 14, 2018, followed by attacks on other ecommerce websites in March 2018 (PC Optimum, Joe Fresh and Digital Pharmacy). The Organization investigated, and determined the PC Optimum website was targeted by automated bots in an attempt to authenticate members? login credentials (i.e. email address and password) and …
P2019-ND-148

Grant Thornton Limited

On or about December 4, 2017, an employee of the Organization printed counselling documents prior to a session with clients. When collecting the documents from the printer, the employee inadvertently picked up additional pages containing the personal information of two other individuals, and stapled these additional pages together with the counselling documents and provided them to the clients. The two documents, comprising three pieces of paper, included the personal information at issue. The clients who …
P2019-ND-147

KARO Dental Care

The Organization rents a storage locker to store inactive patient files and archived accounting records. Between March 5-6, 2018, ?The locker was broken in to and some of the records were stolen. One 4 drawer filing cabinet full along with 10 – 15 banker boxes, both full of archived records. The exact volume is difficult to determine.? The incident was discovered on March 6, 2018.
P2019-ND-146

Tina Cowan, Counseling Services, Registered Provisional Psychologist, Alberta

On November 29, 2017, the Organization found that a briefcase and cellphone had been stolen from a shared office space. The stolen briefcase contained 5 paper-based client files (for 8 individuals), a binder containing paper-based supervision notes (for 53 individuals), and a paper-based notebook that contained contact information and hourly rate session fee (for 74 clients). The cell phone did not have any access controls.
P2019-ND-145

North American Title Company

On May 5, 2017, the Organization?s chief security officer received a spam email from another employee?s email. The Organization investigated and determined that a phishing incident occurred and that there was potential unauthorized access to information contained within an employee?s emails. The unauthorized third party may have had access to the employee?s email account from February 9, 2017 to February 15, 2017 and used the account to send spam emails. Although the Organization did not …
P2019-ND-144

Calder Bateman Communications Ltd.

The Organization runs all aspects of the Caritas Dream life Lottery on behalf of the Covenant Foundation. On June 1, 2017, the Organization?s service provider, Pixel Army, discovered malware affected its system performance. The incident appears to be related to an earlier breach for which certain vulnerabilities remained undetected and unaddressed. The vulnerability affected transactions conducted through the Organization?s website between February 9 and 22, 2017. The Organization and its service provider took steps to …
P2019-ND-143

Calder Bateman Communications Ltd.

The Organization runs all aspects of the Full House Lottery on behalf of hospital foundations. On May 2, 2017, the Organization?s service provider discovered that system performance was affected by malware. This new incident related to an earlier incident, for which certain vulnerabilities remained undetected and therefore unaddressed. The vulnerability affected transactions conducted through the Organization?s website between February 23 and May 2, 2017. The Organization suspended all transactions, and worked with a cybersecurity company …
P2019-ND-142

Calder Bateman Communications Ltd.

The Organization runs all aspects of the Full House Lottery on behalf of hospital foundations. On February 22, 2017, the Organization?s service provider, Pixel Army, discovered that an unauthorized party remotely accessed its website on February 9, 2017 and installed malware aimed at capturing the personal information of individuals using the Organization?s website. The Organization contracted a cybersecurity firm to investigate the incident in cooperation with the service provider that was maintaining the website. The …
P2019-ND-141

Community Options: A Society for Children and Families

On November 1, 2018, a car belonging to one of the Organization?s teachers was broken into and a file case was taken. The breach was discovered the same day.
P2019-ND-140

The Children’s Cottage Society of Calgary

On February 5, 2019, a (now former) employee of the Organization emailed the information at issue to her personal email address. The employee had authorized access to the information during her employment. The incident was discovered on February 13, 2019, when another employee was reviewing the former employee?s emails and found confidential information had been sent to the former employee?s personal email address.
P2019-ND-139

AeroGrow International, Inc.

On March 4, 2019, the Organization learned that an unauthorized person may have acquired, through the use of malicious code, the payment card information that users entered into the e-commerce vendor’s payment page. It is believed the code was present on the website from October 29, 2018 through March 04, 2019. The incident was discovered on March 4, 2019, upon a review of payment card handling practices.
P2019-ND-138

University of Mary

On January 30, 2019, the Organization concluded an investigation concerning suspected unauthorized access to an employee?s email account. The Organization reported the breach occurred on August 15, 2018 and ended on August 20, 2018, when steps were taken to secure the account. The Organization conducted a preliminary investigation at the time, but was unable to determine which emails or attachments may have been viewed in the account. The Organization recently began a new investigation with …
P2019-ND-137

TransCanada Credit Union Ltd.

A former employee, without authorization, electronically transferred funds from lines of credit, loans and/or members’ savings accounts to external bank accounts controlled by the employee and/or the employee’s family members. In addition to unauthorized access and use of personal information on the Organization?s information technology systems, four physical files relating to four individual members affected by the scheme cannot be located and are suspected to have been taken or destroyed by the employee. The breach …
P2019-ND-136

TGS Canada Corp.

On February 26, 2019, the Organization was advised by one of its vendors of a security incident and that some of the vendor?s data may have been stolen. On February 28, 2019, the vendor confirmed to the Organization that a former employee had stolen certain data from the vendor?s computer network. It remained unknown to the Organization at that time whether the Organization?s data was among the data stolen by the former employee. On March …
P2019-ND-135

CI Investments Inc.

Clients of the Organization are able to specify documents they wish to be able to access electronically through an online portal.On September 6, 2018, the Organization found that, as of November 21, 2017, the address update function for the online portal did not update the systems relied upon to send out client documents. As a result, clients who submitted an address update through the online portal on and after November 21, 2017 were sent tax …
P2019-ND-134

Kathmandu (U.K) Limited, Kathmandu Limited, and Kathmandu Pty Limited

On or about February 21, 2019, the Organization became aware that an unidentified third party gained unauthorized access to its website between January 8, 2019 and February 12, 2019. During this process, the third party may have captured customer personal information and payment details entered at check-out for potential fraudulent use.
P2019-ND-133

IQ Insurance Services, Inc.

On February 21, 2019, the information at issue was emailed to the wrong email address. The employee who sent the email discovered the error immediately after sending.
P2019-ND-132

Vecova Centre for Disability Services and Research

On January 12, 2019, between approximately 11:30 a.m. – 12:00 p.m., a laptop used by a physiotherapist was stolen from an office accessed through a classroom within the Organization?s Calgary premises. The laptop contained the files for three program participants. The files were stored on the desktop of the laptop which was not encrypted. The laptop also contained information on an encrypted server/drive relating to an additional 85 participants and their parents/guardians. The incident was …
P2019-ND-131

The Manufacturers Life Insurance Company

On November 14, 2018, a paramedical examiner’s vehicle in Calgary was broken into and some personal items were stolen along with paramedical work orders. The Organization was notified of the breach on December 12, 2018 by its third party vendor.
P2019-ND-130

Alberta Medical Association

On November 22, 2017, the Organization?s Calgary office was broken into and a number of items were stolen, including 17 laptop computers and a notebook containing some work-related information. Three of the laptops were not encrypted, but only one had personal information stored on it (first name and last name, zone the individual worked in, and business email address). A paper document was posted by a desk and listed personal contact information for a number …
P2019-ND-129

Solara Condominium Corporation

An Executive member of the Organization?s board was provided with a USB drive which contained confidential owner information. On April 17, 2018, the Organization discovered that when the member ceased to hold the role on the Board, the USB stick was not returned. The Organization reported that the loss was discovered when ??the former Executive member’s?husband sent an email to the current Board confirming [the former member] still possessed the USB drive which contained information …
P2019-ND-128

Equifax

On July 29, 2017, the Organization?s security team observed suspicious network traffic relating to its Online Dispute web application. The security team immediately blocked a range of IP addresses believed to be associated with the suspicious traffic and investigated. On July 30, 2017, the Organization identified additional suspicious traffic and took the web application offline. The incident occurred between May 13, 2017 and July 30, 2017.
P2019-ND-127

Luxury Hotels International of Canada, ULC, a wholly owned subsidiary of Marriott International, Inc., the primary operating company for Canadian hotels.

On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. In its report of the incident, the Organization said ?Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.? In its …
P2019-ND-126

Calgary Science Centre Society

On November 6, 2018, an employee of the Organization logged in to their email account from a remote location using an apparently insecure public WIFI hotspot. The employee’s log-in information (username and password) were intercepted by an unauthorized third party. The user’s log-in credentials were subsequently used on more than one occasion by the unauthorized third party to gain access to and manipulate the user’s email address and file folder systems, including requesting a change …
P2019-ND-125

GS1 US, Inc.

On October 1, 2018, an internal investigation revealed suspected malicious code on the Organization?s systems. The suspected malicious code may have had the ability to access and acquire information as it was entered onto the payment transaction form used by the Organization?s online store. The potential incident occurred between approximately July 7, 2017 and October 2, 2018. The Organization cannot confirm that any individual customer’s information was in fact involved in the potential incident.
P2019-ND-124

Alberta College and Association of Opticians

On December 18, 2018, the Organization?s server and system was hacked and infected with ransomware. The breach was discovered the same day.
P2019-ND-123

ATB Financial

On December 12, 2018, a team member’s home was broken into and a work laptop bag was stolen. The bag contained customer information, an Organization laptop, and some personal belongings. The laptop was encrypted and has screen lock. The certificate for the laptop was revoked to prevent authentication or wireless connectivity to the Organization?s network. The breach was discovered the same day when the team member noticed that the items were missing.
P2019-ND-122

The Topps Company, Inc.

On December 26, 2018, the Organization became aware of possible unauthorized access to the www.topps.com website. On January 10, 2019, the Organization?s investigation confirmed that an unauthorized third party placed malicious code at the website, which may have resulted in access to or acquisition of payment card and other information that customers provided when placing orders through the website between November 19, 2018 and January 9, 2019.
P2019-ND-121

Longbow Capital Inc.

On September 11, 2018, an employee completed a fraudulent web-form based on an email which appeared to be from a trusted party. The information provided by the employee allowed a malicious actor to change the email account settings for that employee to activate forwarding of all incoming email. The incident was discovered on December 3, 2018, when an IT consultant identified the unauthorized forwarding email address during a routine review of spam reports.
P2019-ND-120

Proline Pipe Equipment Inc.

On December 6, 2018, a former employee’s Record of Employment was erroneously emailed to approximately 50 fellow employees. An employee of the Organization notified management the same day.
P2019-ND-119

Intuit Canada ULC

The Organization engaged a local accounting firm to prepare and mail out amended T4 statements. The mail-out took place on January 4, 2019. On January 10, 2019, the Organization learned that some of the amended T4 statements may have been sent to old mailing addresses. The concern was first identified by an employee who discovered that his amended statement was delivered to his old mailing address.
P2019-ND-118

1873349 Ontario, Inc.

The Organization received information from a third party indicating that common point of purchase data suggested a potential issue with its website, www.1800Flowers.ca. On October 30, 2018, the Organization?s investigation identified unauthorized access to payment card data from cards used to make purchases on the website from August 15, 2014 to September 15, 2018. The Organization reported the breach occurred June 1, 2016 and ended September 15, 2018.
P2019-ND-117

Kahane Law Office

The Organization reported that, on August 8, 2018, ?An individual accessed metadata in a document that included personal addresses and financial information?. The incident was discovered November 14, 2018 when the individual who accessed the metadata contacted the affected individual directly.
P2019-ND-116

Repsol Oil & Gas Canada Inc.

On October 25, 2018 an unknown male gained access to the Organization?s Calgary office. The trespasser accessed the mailroom for approximately 2 hours, leaving with a number of envelopes and miscellaneous items. The incident was discovered the next morning and reported to law enforcement.
P2019-ND-115

500px Inc.

On February 8, 2019, the Organization became aware that someone was offering to sell the Organization?s user data on the dark web. A sample of user account data provided, appeared to be genuine. That same day, the Organization?s engineering team confirmed a potential security issue affecting approximately 14.8 million 500px user accounts. Based on its investigation, the Organization believes that an unauthorized party gained access to its systems and acquired certain user data on approximately …
P2019-ND-114

ATB Financial Winfield Agency

On March 8, 2019 at approximately 3:30 am the Organization experienced a break-in and a safe was stolen. The information at issue was stored within the safe. The safe was recovered, but was empty. None of the safe?s contents have been recovered.
P2019-ND-113

Global Knowledge Network (Canada) Inc.

On or about February 20, 2019, an employee printed and mailed out T4A forms to course instructors for tax purposes. Each printed page included one individual?s T4A form on half of the document and the T4A form of another individual on the other half. Two copies of each printed page were mistakenly mailed to one of the individuals identified within the document. As a result, recipients may have received one or two copies of a …
P2019-ND-112

The Great-West Life Assurance Company

On September 11, 2018, due to an administrative error, a demand letter for overpayment of disability benefits under a group plan was mailed to the wrong address. The letter was mailed by registered mail and the Organization obtained the signature of the unintended recipient on the delivery confirmation. The breach was discovered on October 19, 2018, when, while verifying whether the demand letter was signed for to determine next steps, the staff noticed that the …
P2019-ND-111

Imperial Oil Limited

On December 21, 2018 a fitness for work form was emailed in error to an internal employee with the same last name as the intended recipient. The employee that the form was emailed to in error emailed the sender after hours December 21, 2018 advising that the email should not have come to her. The sender did not see the email until January 7, 2019 due to vacation. On January 7, 2019 when the sender …
P2019-ND-110

Best Buy Canada Ltd.

On or around December 22, 2018, the computer of an Alberta customer was sent to the Organization?s British Columbia Service Centre for a diagnosis repair. The technicians were unable to repair the computer and returned it to the Alberta store. The Organization reported that the hard drive of the computer was packed separately and placed in a box with the computer at the time of shipping (on or around January 10, 2019). The box was …
P2019-ND-109

The Helicopter Association of Canada

On September 18, 2018, an unidentified party gained access to an employee?s email account. The unidentified party applied a forwarding rule and copied the contents of the employee?s email account. The cause of the incident is a phishing email containing a malicious link that was received by the employee. The breach was discovered on October 11, 2018, when the employee sent an internal email to her assistant and received a bounce back message stating that …
P2019-ND-108

Crawford & Company (Canada) Inc.

On December 19, 2018, an informational email was sent to advise interested parties about upcoming workshops being offered in relation to a class action settlement for the Schools for the Deaf. Due to employee error, the recipient email addresses were inadvertently included in the ?To? field of the email resulting in the email addresses being visible to recipients. The breach was discovered the same day.
P2019-ND-107

Midwest Surveys Inc.

On November 9, 2018, the Organization implemented a mail merge to send employees their options for their WSA registration. After starting the mail merge, the Organization immediately received some responses from employees indicating they received someone else’s information. The merge was cancelled and attempts were made to recall the emails; however, this was not successful.
P2019-ND-106

BEL USA LLC

On November 16, 2018, the Organization discovered that an unauthorized change had been made to its DiscountMugs.com website. The Organization investigated, and learned that unauthorized code was inserted into the shopping cart page designed to collect information customers entered on that page. On December 20, 2018, the investigation determined that orders placed by credit or debit cards between August 5, 2018 and November 16, 2018, may have been impacted by the unauthorized code.
P2019-ND-105

Welk Resort Group

On or around August 2, 2018, the Organization learned of unusual activity related to an employee email account and immediately began an investigation to confirm the security of its network and determine the nature and scope of this event. The Organization learned that an unauthorized actor(s) was able to gain access to the employee’s email account. Based upon available forensic evidence, the email account was subject to unauthorized access between July 24, 2018 and August …
P2019-ND-104

Data Facts, Inc.

On November 5, 2018, the Organization learned that an employee?s email account was accessed by an unknown party. That account contained personally identifiable information provided by clients for the purpose of conducting background checks. The Organization reported it has no evidence to suggest that private information was misused; however, ??the possibility that emails and/or attachments in the account were viewed by the unauthorized party could not be ruled out”. On December 7, 2018, the Organization?s …
P2019-ND-103

North 40 Outfitters

On or about November 8, 2018, the Organization identified suspicious activity regarding its online payment processing platform. On or about December 14, 2018, the Organization?s forensic investigation determined that customer credit and debit card information for transactions that occurred on its e-commerce website between February 2, 2018 and November 20, 2018 may have been subject to unauthorized access and/or acquisition.
P2019-ND-102

United Active Living Inc.

On February 26, 2019, a staff member was emailing information about rent breakdowns to residents/family members. The staff member inadvertently sent an email to two families that included attachments with information about other residents. The breach was discovered on February 27, 2019 when one of the recipients contacted the Organization.
P2019-ND-101

The Brenda Strafford Foundation Ltd.

On February 5, 2019, a ransomware virus was introduced into the Organization?s network. The virus encrypted the main hosts, VMs and Primary backup store. The virus was not detected and due to the nature of the virus, logs were also lost due to encryption. The breach was discovered the same day due to performance changes to systems and detection of ransomware encryption notes.
P2019-ND-100

The Empire Life Insurance Company

On January 29, 2019, the Organization sent a package containing 225 investment statements for 100 customers, via courier, to the office of a financial advisor. The package was left on the advisor’s doorstep as there was no tracking number or signature required.
P2019-ND-099

RGF Integrated Wealth Management Ltd.

On February 7, 2019, the Organization discovered that an Advisor’s online account credentials had been compromised, resulting in unauthorized access to their email account. As a result, phishing emails (which appeared to come from the Advisor) were sent to 8 Alberta residents. The emails included links which ultimately, requested the recipient to enter their email credentials. The unauthorized user may have been able to access the contents of the Advisor’s email account. The email account …
P2019-ND-098

London Drugs Limited

On around March 13, 2018, a customer notified the Organization that she found data on her hard drive belonging to another customer. The customer notified the other customer directly about the data disclosure. Both customers had brought their computers to the Organization for servicing. The Organization is investigating, but suspects that when the service technician copied the data over to the store’s encrypted hard drive for storage, he failed to subsequently clear data off the …
P2019-ND-097

C.L.C. Donald Wellness Group o/a Forward Psychology and Wellness Group

On or around November 23, 2018, a laptop computer and other items were stolen from a vehicle belonging to the owner of the organization. The laptop was password protected; there was no encryption or other security measures. An email account was accessible via the laptop and did not require a password in order to gain access. The email account contained communications with the information at issue. The Organization initially reported that it believed the thieves …
P2019-ND-096

Shafik Hirani’s Private Wealth Management Practice of Aligned Capital Partners

An employee left his cell phone at a sporting event the evening of December 9, 2018. Although client information was not saved on the cell phone, email communication between clients and the employee would have been retained for what the Organization believes to be a period of less than 2 weeks. The Organization used its email archiving system to analyze the content of all emails sent to and from the employee’s email address for that …
P2019-ND-095

Connect Society

On January 28, 2019, an emergency backpack with first aid kit and emergency information for preschoolers was accidentally left at the school playground. The teacher who left the backpack at the playground discovered it was missing the next day when she returned to the playground. She searched the area where she had left it and could not find it.
P2019-ND-094

Alberta Medical Association

Between February 4, 2019 and February 8, 2019, an employee was processing benefit cheques and corresponding benefit statements. Due to a duplexing error, some clients inadvertently received their own statement, as well as information related to another client. The incident was discovered on February 7, 2019, when a client emailed the Organization informing it of the error and requesting a new statement be issued. On February 8, 2019, another client left a voicemail message reporting …
P2019-ND-093

Entrust Disability Services, as reported by Box Clever

The Organization is a web design company. The Organization reported the following with respect to the website www.entrustdisabilityservices.ca: Issue #1: Directory Access Upon investigation of the issue, it was determined that between December 27, 2018 and January 11, 2019 a server misconfiguration allowed for directories on websites to be indexed. This created the potential for certain files to be accessed that should not have been. When this misconfiguration was discovered on January 11 it was …
P2019-ND-092

The Glencoe Club

On January 20, 2019, an employee took home rosters for children’s swimming lessons. The rosters were in a binder, the binder was in a bag, and the bag was left in the employee’s personal vehicle overnight. At some point over the course of the night the employee (and others) had their vehicle broken into and the bag was removed. The incident was discovered on January 21, 2019. The personal information has not been recovered.
P2019-ND-091

RSM Alberta LLP

On November 15, 2018, the Organization discovered that its Calgary office had been burglarized. The Organization investigated and determined that a hard drive was stolen during the burglary on or around November 11, 2018. The hard drive appears to have contained some electronic files relating to tax services the Organization provides to a handful of clients.
P2019-ND-090

Calgary French & International School

On January 28, 2019, the Organization mailed a T4 to a former employee.? On January 30, 2019, the Organization received an email from the former employee stating that she had received, in a window envelope, what she believed to be her T4 for 2018. She reported that her Social Insurance Number (SIN) was visible to others because of the use of the window envelope. The former employee returned the envelope, unopened, to the Organization. The …
P2019-ND-089

Ascensia Diabetes Care Holdings AG

The Organization provides and operates an application for mobile devices to measure blood glucose level through a connected blood glucose meter. The application synchronizes data with the Organization?s servers in the cloud to allow customers to use their data with further mobile devices which are also synchronized with the servers. The Organization reported that ?Penetration testing conducted on 16 October 2018 revealed a vulnerability as a consequence of which we cannot exclude that third parties …
P2019-ND-088

TeenSafe

For certain time periods between February 1, 2018 and May 19, 2018, personal information about users on the Organization?s application server was publicly accessible. Although the server was not generally known outside the Organization?s development team, the breach was identified by a reporter who was apparently looking for vulnerabilities in the Organization?s systems. The Organization was made aware of the issue on May 18, 2018. The Organization reported that it has no evidence that the …
P2019-ND-087

Bayer Inc. / Bayer AG

A SIRIUS file directory was created on May 4, 2018 by a service provider to the Organization. On June 11, 2018, the Organization was informed by a third party of a possible personal data breach with respect to the file directory, such that it was freely available on the internet. On June 12, 2018, the Organization notified the service provider of the breach, and access to the directory was closed. The directory logfiles showed two …
P2019-ND-086

Advantage Financial Services

On March 7, 2018, the Organization discovered that its offices had been broken into the previous night. The Organization determined that a number of items had been stolen, including a computer. The computer was password protected and the biometric facial reader was activated. There was a separate password to access the email application. The Organization stated it was highly unlikely that any personal information was stored locally on the computer and its internal investigation of …
P2019-ND-085

RevUp Group, LLC d/b/a RevUp Sports

On May 31, 2018, the Organization became aware that an unauthorized third part(ies) gained access to the Organization?s system and installed one or more files that may have collected personal information from customers who made credit card purchases via the Organization?s website. The Organization reported that it has not discovered any evidence indicating that the affected information was downloaded or exfiltrated from the Organization?s network, but the Organization has been unable to definitively rule out …
P2019-ND-084

WFG Dealer Connect, as reported by WFG Securities Inc.

On September 19, 2018, a trade document containing a client?s personal information along with redemption instructions was sent by fax from an advisor?s branch office in Alberta to the Organization. The document was intercepted at some point and the banking information initially provided was replaced and submitted directly to the fund company by fax for processing. This was an attempt to redirect funds to an unknown third party?s account with another bank. The breach was …
P2019-ND-083

Calgary French & International School

On November 20, 2018, a staff member accessed a report containing personal information on the Hour Zero?s school emergency program website. The Hour Zero program automatically sent an email to all staff notifying them that their personal information had been viewed. The incident was discovered on November 20, 2018 when the Organization?s Privacy Officer received an email alert from Hour Zero. The Hour Zero program has a pop-up that reads, ?You are about to view …
P2019-ND-082

Tickets.Expert LLC

On September 26, 2018, the Organization was informed by its vendor that provides an add-on to websites (Shopper Approved), that the computer code Shopper Approved uses to facilitate customer reviews had been compromised. The vulnerability was patched and malicious code was immediately replaced, but there was a short period of time of potential exposure of personal information. The security problem was noticed by the vendor on September 15, 2018 and fixed on September 17, 2018. …
P2019-ND-081

Don Best Sports Corporation and DBS Canada Corporation, a subsidiary of Scientific Games Corporation

n December 21, 2018, during the course of conducting a cyber risk assessment of the Don Best network infrastructure prior to integrating that environment into the Organization?s network, the Organization discovered that, between October 12, 2018 and October 28, 2018, Don Best had been the subject of a malware attack that resulted in an unauthorized individual gaining access to a Don Best customer database. While the unauthorized user was able to view data, based on …
P2019-ND-080

The Japan Foundation – Toronto

On September 30, 2018, the Organization?s third-party website developer failed to save a portion of the back-end of the website as viewable by “admin only”, such that the page and a link were viewable by the public. At the time of the breach, there were 200 fake names included for the purpose of testing, but the list also included people who signed up for the test September 28, 2018. The Organization?s staff discovered the incident …
P2019-ND-079

Free Speech Systems, LLC

On November 13, 2018, the Organization discovered unauthorized code on its website. The unauthorized code was removed and an investigation was launched. An investigation determined that the unauthorized code was added by an unauthorized individual so that payment card information entered by purchasers on the e-commerce website was copied and sent to an unauthorized server. The code was added on November 12, 2018 and removed November 13, 2018.
P2019-ND-078

McKenzie Lake Community Association

On December 11, 2018, an employee took information for children in the Organization?s Before & After School program and transferred it from her company phone to her personal phone. The breach was discovered on January 9, 2019, when parents complained to the Organization as to why the employee was now sending emails from her personal email.
P2019-ND-077

The Canadian Kennel Club

On December 1, 2018, a former member of the Discipline Committee reported being able to access a discipline file following a search on the Organization?s public website. The Organization?s IT group determined that disciplinary, appeals and registration files could be accessed through the ‘search’ functionality on the public website. An investigation found that the breach occurred in June 2018 when the Organization implemented a new website and, due to human error, the accessibility settings were …
P2019-ND-076

Prudent Benefits Administration Services Inc.

The Organization is a third party administration firm and was creating portals for clients. During the process, the website was populated with the wrong certificate numbers which allowed some individuals to see personal information of a fellow union member. The incident occurred between December 27, 2018 and January 7, 2019. The incident was discovered on January 4, 2019 when a member contacted the Organization to report she accessed the portal and could see another person’s …
P2019-ND-075

Legal Aid Alberta

On September 27, 2018, a legal assistant with the Organization emailed documentation to the opposing party in a legal proceeding. Inadvertently, the email was also sent to another client who was not a party to the legal proceeding. Subsequent emails were sent using ?reply all?, such that the unauthorized recipient continued to be copied on correspondence. On October 27, 2018, the unintended recipient contacted the lawyer on the file to ask that he not be …
P2019-ND-074

Kinsted Wealth

On January 23, 2019, a phishing email was sent to the Organization?s employees. One employee opened the email and, as a result, the attacker gained access to client information in that employee?s email contact file. The attacker then sent out phishing emails to a limited number of clients from the employee?s contact list.
P2019-ND-073

Kingdom Animalia d.b.a. Hourglass Cosmetics

After learning of a potential issue with its online e-commerce website, www.hourglasscosmetics.com, the Organization conducted an investigation. The investigation determined that, from approximately July 3, 2018 to January 30, 2019, unauthorized third parties had the ability to access information of customers who had made a purchase on the site.
P2019-ND-072

Rennline Automotive

The Organization operates the e-commerce store rennline.com. On January 18, 2019, the Organization discovered suspicious code on the website. An investigation determined that the unauthorized code was added by an unauthorized individual so that payment card information entered by purchasers on the e-commerce website was copied and sent to an unauthorized server. The code was active between May 28, 2018 and June 13, 2018, June 15, 2018 and July 12, 2018, July 20, 2018 and …
P2019-ND-071

Fearless Faith Inc.

On January 30, 2019, the Organization discovered that an unknown third party had obtained access to the Organization?s Drop Box account. The Organization investigated and determined that the unauthorized access may have begun on or about February 8, 2018.
P2019-ND-070

Nerval Corporation

On January 31, 2019, the Organization mailed out employee T4 slips. The program then emailed out a second set of emails to all employees, but included a co-worker?s T4. All T4s are secured with a password. The incident was discovered on February 1, 2019 when the Organization received an email from a former employee stating that they had received someone else?s T4.
P2019-ND-069

Advocate Sherman Hospital

In October 2018, the Organization received a letter from Bullhorn, Inc.’s Jobscience, one of the Organization?s former job application management and employee onboarding service providers, notifying the Organization of an incident. The Organization understands from Jobscience that on or around May 8, 2018, an unauthorized third party gained access to data contained on Jobscience’s server used to process employee application information and exfiltrated the database of one of Jobscience’s service applications. Jobscience learned about the …
P2019-ND-068

Midwest Surveys Inc.

On or about January 15, 2019 a staff member’s personal Gmail account was phished. The Organization reported the account ??likely contained [the employee?s] work password, they planted a pdf on the individual’s work OneDrive that they then shared out to some clients and employees in the address book. The second, third and fourth person opened the shared file and entered their user and password, their account was considered compromised at that point?. The Organization reported …
P2019-ND-067

Servus Credit Union Ltd.

On January 27 and January 28, 2019, an unauthorized individual was able to successfully access two different member?s accounts. The breaches occurred as a result of poor authentication practice, contrary to the Organization?s policy. The breaches resulted in a financial loss. The breaches were discovered on January 28 and 29, 2019 respectively when the unauthorized individual contacted the Organization and was unable to successfully complete authentication.
P2019-ND-066

Servus Credit Union Ltd.

On December 20, 2018, the Organization was notified that an unauthorized individual was able to successfully access a member?s account and update information on the account. The breach occurred as a result of poor authentication practice, contrary to the Organization?s policy. The affected individual suffered a financial loss. The incident was discovered on December 21, 2018, when the Organization contacted the actual member to confirm an outgoing e-transfer.
P2019-ND-065

Preferred Hotel Group

On June 6, 2017, the Organization was notified by its third party reservation service provider, Sabre Hospitality Solutions, that an unauthorized party gained access to the SynXis Central Reservations system. The service provider?s investigation found that the unauthorized party first obtained access to unencrypted payment card and other reservation information on August 10, 2016. The last access was on March 9, 2017.
P2019-ND-064

The International Council of Shopping Centers

On August 18, 2017, the Organization received a report regarding payment card activity that caused it to investigate and subsequently identify unauthorized computer code that was added to the code that operates the checkout page of the website at www.icsc.org. The Organization initially reported that the code may have been present and capable of capturing information entered during the checkout process from March 24, 2017 to August 18, 2017. Additional findings from the investigation indicate …
P2019-ND-063

Quarry Wealth Management Ltd. / Raintree Financial Solutions

On July 4, 2016, the Organization realized an employee?s email account had been breached, resulting in a phishing email sent to email addresses in the employee?s Outlook contacts. In addition a rule was set up in the Outlook account, which redirected all incoming emails to the deleted items folder. The incident is believed to have resulted when the employee clicked on a phishing email on November 20, 2015. As a result, the Organization suspects the …
P2019-ND-062

Carecana Management Corp.

On December 22, 2016, an email intended for an investor, and enclosing a Statement of Account, was sent to the wrong email address. The incident was the result of an administrative error. The error was discovered on January 5, 2017, when the intended recipient?s representative contacted the Organization to ask about the Statement of Account.
P2019-ND-061

Mayfield Management Group Ltd.

A break-in occurred at the Organization?s office sometime between October 15, 2016 and October 17, 2016. The theft was discovered on October 17. Files containing personal information about residents were stolen.
P2019-ND-060

Vistara Conway, Registered Psychologist

Between September 26 and September 27, 2018, a vehicle was stolen from a residence, along with personal items and a client file lock-box (with a combination lock type). The portable lock box contained client files with the information at issue. On October 5, 2018, police retrieved the stolen vehicle, but the lock box and personal belongings were missing. On October 12, 2018, a member of the public emailed the Organization to report they had the …
P2019-ND-059

HSBC lnvestDirect, a division of HSBC Securities (Canada) Inc.

On April 3, 2018, a client contacted the Organization to complain that his T4RSP and annual report had been sent to the wrong address. The Organization discovered the client?s mailing address had been updated incorrectly on March 28, 2017. The Organization requested that the unauthorized recipient return the documents to the Organization or shred them and confirm with the Organization when he/she did so. However, the Organization did not obtain said confirmation. The information has …
P2019-ND-058

Canon Medical Systems Canada Limited

On April 30, 2018, and May 1, 2018, two employees notified the Organization that they had received letters mailed to their home addresses. The letters appeared to be from the Ontario government, in connection with ?Ontario?s pay transparency legislation 2017?, and included a spreadsheet listing other employees? personal information and a column comparing certain employees? pay relative to other employees with the same title. The Organization investigated and found no evidence of any external intrusion …
P2019-ND-057

ACTIVE Network

The Organization provides a platform to host online registration and payment services for athletic races and similar events. In October 2017, the Organization became aware of suspicious activity on one of its systems through social media activity, customer complaints and reports from the card brands.The Organization investigated and determined the suspicious activity related to transactions manually keyed in by users while checking out on the Organization?s website, and that an unauthorized third party may have …
P2019-ND-056

Sun Life Assurance Company of Canada

On May 29, 2018, due to an administrative error, a group plan member was able to access another group member?s personal information by logging into the Organization?s mobile app or the secure member website. A member reported the incident to the Organization. The error occurred when assigning the group benefits plan member identification number. The incident affected 45 members; of these, 7 members had accessed the secure site on May 29, 2018.
P2019-ND-055

Westlake Chemical Corporation (formerly Westlake Management Services, Inc.)

On May 29, 2018, the Organization?s benefits provider (Sun Life Financial) informed the Organization that, due to an administrative error, a group plan member was able to access another group member?s personal information by logging into the benefit provider?s mobile app or the secure member website. The incident was discovered on May 29, 2018 when a member reported the breach to the benefits provider.
P2019-ND-054

SMS Equipments Inc.

On March 11, 2019, an external job candidate, who had been referred by a current employee, attended pre-employment drug and alcohol testing for a safety sensitive position. The candidate was unsuccessful. The hiring manager was notified that the candidate was unsuccessful. The hiring manager then spoke to the employee who referred the candidate and told him ?that his friend failed the drug test?. The incident was discovered when the hiring manager contacted the recruiter to …
P2019-ND-053

Acquis Consulting Group, LLC

On November 12, 2018, the Organization discovered a potential security incident. An investigation found that an employee email account had been accessed by an unauthorized actor. The Organization reported the incident occurred between ?June 30-June 2, 2018 [sic]?. On November 12, 2018, the Organization learned that certain personal information was contained in the email account. On December 8, 2018, the Organization found that the personal information of Albertans was potentially involved.
P2019-ND-052

Last Callum Corp.

The Organization reported the incident as follows: ?Home break in, purse stolen with a notebook inside that had payroll information?. The breach occurred on December 19, 2018 and was discovered the same day.
P2019-ND-051

GoldSilver, LLC

On November 20, 2018, the Organization was alerted to a potential security incident in which an attacker demanded an extortion payment or he would release certain customer information obtained from the Organization?s systems. The investigation determined that an unauthorized person obtained access to a database containing certain customer records between September 28, 2018 and November 20, 2018.
P2019-ND-050

Servus Credit Union Ltd.

On December 18, 2018, an unauthorized individual was able to successfully access a member?s account. The incident occurred when online banking access was granted over the phone via poor authentication practice by an agent of the Organization, contrary to posted policy. The affected individual suffered a financial loss.The incident was discovered on December 19, 2018, when the unauthorized individual contacted the Organization again and spoke to a different agent who refused access and contacted Corporate …
P2019-ND-049

Steele?s Transfer Ltd. and Steele?s Total Logistics Ltd. o/s Steele?s Transportation Group

On November 18, 2018, the Organization discovered that it was the victim of a ransomware attack. The Organization retained third party computer forensic experts to investigate and assist with decryption. The investigation found that the threat actor?s activities were limited to encrypting files and that there was no evidence that any files were accessed, viewed or exfiltrated, with one exception: the threat actors clicked on an existing shortcut on November 18, 2018, which linked to …
P2019-ND-048

Tapestry Music Ltd.

In early and mid-December 2018, the Organization was notified by a few of its customers that their information had been accessed. On December 17, 2018, the Organization?s IT Consultant confirmed that it had discovered backdoors on the Organization?s website, www.tapestrymusic.com. The threat actors first gained access on September 15, 2017 by attacking plugins, which allowed access to the website and customer database.
P2019-ND-047

Oakhampton Court Corporation CDC1

The Organization reported that, during a Board meeting, an employee?s salary, benefits, WCB and medical information was discussed as part of assessing the employee?s continued employment. An individual, who was a Board member at the time of the meeting, shared the employee?s information with previous Board members, as well as the employee. The Organization said it warned the individual not to discuss ?classified? information outside of the Organization?s current Board members. The Organization reported the …
P2019-ND-046

Petrowest Corporation, Petrowest GP Ltd., Petrowest Civil Services LP, Petrowest Construction LP, Petrowest Transportation LP, Petrowest Services Rentals LP, Petrowest Environmental Services LP, Trans Carrier Ltd. and CJM Trucking Ltd.

On or about February 22, 2018, the Organizations noted their systems had been infected with ransomware essentially making them unavailable/inaccessible. Malicious actors had access to the Organizations? IT systems and data for about eight hours. All systems were backed up but the backup servers were also infected and there were no current off line backups. The mail server was not infected. However, the Organizations? mail database was hosted on a file server which was infected, …
P2019-ND-045

Legal Aid Alberta

On November 2, 2015, an employee who was acting as duty counsel at the Courthouse had his tablet stolen. The information at issue was stored on the tablet. The Organization does not have any records indicating whether the tablet was encrypted; however, it said the practice at the time would have been to encrypt mobiles and laptop devices and have a strong password. The employee believes the device had encryption software. The breach was discovered …
P2019-ND-044

TALX Corporation and Honeywell International Inc., as reported by TALX Corporation

TALX Corporation provides certain payroll related services to Honeywell International Inc. which allows Honeywell’s employees to access electronic copies of T4 and RL-1 tax forms through an online portal website. On February 8, 2017, TALX Corporation discovered that one or more persons reset the PINs and accessed the online portal accounts of a small number of current and former Honeywell employees. The resets were unauthorized, and the unauthorized person(s) may have accessed any of the …
P2019-ND-043

GlaxoSmithKline Inc., ViiV Healthcare ULC, ID Biomedical Corporation of Quebec, and GlaxoSmithKline Consumer Healthcare Inc.

In May and November 2016, an Excel spreadsheet was distributed via email for the purpose of ?conducting performance rating calibration meetings with people managers?. A hidden tab/sheet was inadvertently included in the spreadsheet. As a result, the recipients of the emails inadvertently received the personal information of employees for whom they were not the intended recipients. The incident was discovered when two recipients of the email discovered the hidden tab/sheet and logged incident reports on …
P2019-ND-042

GlaxoSmithKline Inc., ViiV Healthcare ULC, and ID Biomedical Corporation of Quebec

In May and November 2016, an Excel spreadsheet was distributed via email for the purpose of ?conducting performance rating calibration meetings with people managers?. A hidden tab/sheet that contained the information at issue was inadvertently included in the spreadsheet. As a result, the recipients of the emails inadvertently received the personal information of employees for whom they were not the intended recipients. The incident was discovered when two recipients of the email discovered the hidden …
P2019-ND-041

Franklin Templeton Investments Corp.

On February 19, 2016, the Organization inadvertently mailed tax slips to investors at invalid addresses. The addresses had been identified by the Organization as invalid where mailings had been returned because the investor had moved and failed to notify the Organization, or the investor had provided an inaccurate or incomplete address. The incident was discovered on August 22, 2016.
P2019-ND-040

Confederation Park Little League

On February 18, 2017, a former volunteer of the Organization sent an email to the Organization?s members informing them of a new baseball program (i.e. a new program that is a competitor to the Organization). The Organization had allowed volunteers to use their personal email addresses for their volunteer work. The former volunteer had a spreadsheet containing the information at issue, and used this to email the members about the new program. The former volunteer …
P2019-ND-039

Newegg Inc.

On September 18, 2018, the Organization became aware of a potential security incident involving unauthorized code on its website. Based on its investigation, the Organization believes an unauthorized party gained access to its network using malicious software and then used that access to place unauthorized code on the Organization?s website that handles customer transactions. The unauthorized code was designed to capture customer order information as it was entered, bypassing other technical controls in place to …
P2019-ND-038

Dufferin Construction Company, a division of CRH Canada Group Inc.

On September 26, 2018, an employee of the Organization was searching for internal policies when he noticed he was able to access an electronic folder titled “Human Resources” in the Organization?s shared drive. The employee immediately notified a Human Resources manager, who contacted IT. The proper accesses were restored the same day. The Organization believes that the permission settings on the folder were inadvertently altered on August 8, 2018 when a new Human Resource employee …
P2019-ND-037

Goodlife Fitness Centres Inc.

The Organization was testing a new membership database which would send membership contracts by email, and on March 1, 2018 the first live delivery of contracts to actual members started. On March 2, 2108, the Organization discovered an error in the system, which was not detected during testing, whereby some members inadvertently received other members? contracts. The Organization received emails and telephone calls from members who had received the contracts of other members.
P2019-ND-036

Syncrude Canada Ltd.

During a new hire onboarding process, the Organization collected documents from the employee in order to input data into the payroll and benefits systems. The documents were divided into two separate paper files (one for benefits and the other for payroll). The payroll file is then to be hand delivered to the payroll office for use in processing an employee?s pay. At some point during this process, the payroll file was misplaced. On December 14, …
P2019-ND-035

MediaQMI Inc.

Prior to April 2015, the Organization operated both the English and French Canoe websites. The English Canoe website was sold to Postmedia in April 2015. Since April 2015, the Organization has operated the French Canoe website; Postmedia operates the English Canoe website. On September 2, 2017, Postmedia informed the Organization that it had received an extortion demand from an individual who obtained access to personal information relating to the Canoe website. The Organization investigated, and …
P2019-ND-034

RiverMend Health, LLC

On August 10, 2017, the Organization identified suspicious emails being sent from an employee?s account. The Organization investigated and determined an unauthorized individual had gained access to the employee?s email account beginning on or about July 27, 2017 and continuing until August 11, 2017. The Organization has no evidence that any patient information was misused or specifically targeted.
P2019-ND-033

Gerald J. Kugelmass Professional Corporation

On January 8, 2018, the Organization was advised by several individuals that they had received an email from the Organization requesting they download a file by clicking on a link. The Organization did not send the email. During the week of January 8, 2018, the Organization?s IT consultant advised that the imposter might have had unauthorized access to the Organization?s emails. The Organization reported ?The intent of the imposter does not appear to have been …
P2019-ND-032

Loblaw Companies Limited

Between May 12, 2017 and July 7, 2017, automated ?credential stuffing? attacks occurred against web properties owned by the Organization. High traffic volumes led the Organization to investigate what appeared to be unauthorized access to user accounts and identified the logins that were likely unauthorized. On June 13, 2017, the Organization received telephone calls from users reporting they received an automated message from one of the Organization?s online sites indicating their user profile had changed. …
P2019-ND-031

Columbia Bank

On July 25, 2017, the Organization learned that an unauthorized individual gained access to an employee?s email account after the employee clicked on a link in a phishing email. The unauthorized individual gained access to the employee?s email on July 20, 2017. The incident was discovered when phishing emails were sent from the employee?s account.
P2019-ND-030

TALX Corporation and Allegis Group Inc., as reported by TALX Corporation

TALX Corporation provides certain payroll related services to Allegis, which allows Allegis? employees to access electronic copies of tax forms through an online portal website. On February 1, 2017, TALX Corporation discovered that an Allegis employee reported an unauthorized change to the email address associated with the employee?s online portal account. The Organizations investigated and determined that the unauthorized person(s) was able to successfully answer questions about the affected individuals in order to reset the …
P2019-ND-029

Blue Heron Vocational Training Centre, Athabasca

On November 7, 2016, a staff member looking for a file on the Organization?s server noticed that information had been encrypted. The Organization found what appeared to be ransomware and further investigation revealed that the file server had been hacked and unauthorized administrative accounts had been created on the server by the hackers. The Organization reported that the incident likely occurred after October 12, 2017.
P2019-ND-028

Groupe Materiaux Godin and Materiaux Godin et Fils

A small black tote containing documents with the information at issue was stored in a residential garage on July 10, 2018. The tote was last seen on or around July 1, 2018. On the night of September 3, 2018, a neighbor reported the garage door was open overnight. Some items stored in the garage were missing. When cleaning out the garage on October 25, 2018, the black tote was noted to be missing. The Organization …
P2019-ND-027

Syncrude Canada Ltd.

On October 6, 2017, an employee of the Organization reported that that they had incorrect access permissions to an internal network directory, allowing the employee access to personal information of other employees. A comprehensive investigation followed and found that there were four (4) unique exposures allowing unauthorized access to various folders between March 2, 2017 and October 13, 2017. The Organization?s IT support services are provided by an external service provider. There is a procedure …
P2019-ND-026

CH Nursery Management Ltd., operating as Early Discoveries Nursery School

A class teacher binder disappeared over the weekend of October 27-28, 2018 while its classrooms were used by another party. The incident was discovered on October 29, 2018 when the teacher arrived to find her class binder gone. The binder has not been recovered.
P2019-ND-025

PFSL Fund Management Ltd.

Tax receipts issued for estate accounts with multiple recipients (deceased, executors, and beneficiaries) were consolidated into a single mailing address for each account, instead of separated by individual recipient address and mailed accordingly. The date of the initial mailing to a recipient in Alberta was September 9, 2016. The date of the last mailing to an Alberta recipient was March 19, 2018. The breach was discovered on August 30, 2018, after an internal investigation was …
P2019-ND-024

AGF Investments Inc.

A redemption request was initiated by the affected individual. The request was processed by the Organization?s affiliated transfer agency administrator, AGF CustomerFirst Inc. (?AGFC?), and a cheque was mailed to the affected individual?s address on file in Athabasca, Alberta. The cheque was intercepted by a third party and successfully cashed, with no endorsement, at a bank branch in Toronto, Ontario. The date the cheque was cashed was June 5, 2018. The breach was discovered on …
P2019-ND-023

Edmonton Humane Society

A technical malfunction in the Organization?s website’s server caused the server to randomly draw client information from a database and populate the website with the information. For a period of time between October 2017 and February 2018, when one clicked on photos of animals on the website’s adoption page, the website would show a PDF image of financial information provided by EHS clients. The website did not give access to the database of client information …
P2019-ND-022

Lawson Products, Inc.

The Organization determined that an email account was compromised and an unknown person gained access to the contents of the email account. Forensic investigation was able to determine which email messages in that account were affected. Two such messages contained personal information related to residents of Alberta, most all of whom are commissioned sales contractors and one a commissioned sales employee for the Organization. The incident occurred between October 1-2, 2018 and was discovered on …
P2019-ND-021

Connect First Credit Union Ltd.

On April 2, 2018, an employee of the Organization received an online loan application for a potential new member. The employee forwarded the email containing the application to the Branch Manager for review and action. However, Microsoft Outlook auto-populated the name of the last person the employee emailed who was not authorized to receive the information and was outside of the Organization?s network. The employee discovered the incident the same day, immediately after sending the …
P2019-ND-020

CPT Group, Inc.

On March 22, 2018, the Organization began investigating after phishing emails were sent from an employee email account. The Organization determined that an unknown individual had access to an employee?s email account from November 22, 2017 to December 8, 2018. The Organization reported that it does not know if any sensitive personal information was accessed without permission.
P2019-ND-019

Fontainebleau Miami Beach

On January 3, 2018, the Organization learned that certain guests? credit card information was accessed without authorization. The Organization investigated and discovered that the credit card information was acquired between November 2017 and January 2018.
P2019-ND-018

Careem Inc.

On January 14, 2018, the Organization received an email from an unknown hacker claiming to have infiltrated its IT systems. The email demanded a ransom, which, if not paid, would result in the hacker disclosing the information publicly. On January 25, 2018, the Organization paid the ransom. The Organization investigated and determined that the hacker infiltrated its IT systems sometime in December 2017, and had both accessed and stolen the personal information of customers and …
P2019-ND-017

Lago Lindo Preschool

On April 23, 2018, a binder containing the information at issue was left outside in the playground adjacent to the school. The incident was discovered on April 24, 2018, when a parent noticed papers in the park, collected them, and brought them to the Organization. The papers were torn in a few pieces and the binder was not located. A small portion of documents (three registration forms) have not been recovered.
P2019-ND-016

Delta West Academy Society

On Friday, April 13, 2018, an employee with the Organization left work with his school-issued cellphone, school-issued laptop and markbook in his backpack. The backpack was put in the employee?s vehicle. On April 14, 2018, the employee noticed the backpack was no longer in the vehicle. Because there was no damage to the vehicle, the employee assumes that the vehicle was left unlocked and the backpack was stolen. The cell phone and the laptop were …
P2019-ND-015

Primerica Financial Services Ltd.

On February 10, 2018, two clients applied for a life insurance policy. On February 12, 2018, the two clients were visited by an examiner from a third party service provider to conduct a physical exam. On February 19, 2018, the clients were contacted by the RCMP in British Columbia to inform them the RCMP had retrieved stolen paperwork from an unrelated party. The clients informed their independent sales representative who then notified the Organization of …
P2019-ND-014

Juvenile Diabetes Research Foundation

On March 19, 2018, a participant notified the Organization that when they logged onto their fundraising page, they saw a list of donors that were attributed to their profile but did not recognize the donors. The Organization discovered that human error caused 2017 donation history to be incorrectly loaded into the Organization?s new online donation system. The incident occurred between February 11, 2018 and March 18, 2018. As a result of the incident, thirty-four walk …
P2019-ND-013

YWCA Calgary

On March 25, 2018, a practicum student accidently forwarded an email to a client instead of a co-worker. The client and the co-worker had the same name. The student noticed the error the same day and tried to recall the email. The unintended recipient was asked to delete the email; however, the Organization did not receive confirmation that this was done.
P2019-ND-012

Institute for Supply Management

On or about January 25, 2018, an unauthorized sender caused ?phishing? emails to be sent to email addresses contained in an employee?s email contacts list, which was contained on or accessed by a mobile computing device used by that employee for exchanging emails with certain customers of the Organization. The phishing emails contained links to an apparently fake ?Docusign? website, the purpose of which was to trick recipients into clicking on a link that would …
P2019-ND-011

2002358 Alberta Ltd. o/a The Captains Boil

A personal/work truck was broken into during the early morning hours of October 28, 2018, outside of a residential home. The truck contained some documents in a briefcase that may have contained personal information of employees of the Organization, and also contained a secured iPad with personal information. The Organization reported that ?The majority of information possibly accessed was contained on a secured iPad, with a 6 digit passcode, which was not written down.? The …
P2019-ND-010

World Financial Group Insurance Agency of Canada Inc.

An agent’s car was parked and locked in an underground parkade in Calgary, Alberta. On November 12, 2018, the agent?s driver side window was smashed and his laptop bag was stolen from the backseat. The breach was discovered the same day by the agent when he returned to his car and noticed the damage and the laptop stolen.
P2019-ND-009

Chamberlain Group, Inc.

On October 22, 2018, the Organization discovered that an employee at its call center in Arizona had handled the payment card information of some customers in violation of the Organization?s security procedures. The Organization investigated and, on October 29, 2018, discovered a second call center employee had also improperly handled customer payment card information. The window of time in which one or both of these individuals worked at the call center was October 16, 2017 …
P2019-ND-008

Identifix, Inc.

An unauthorized individual sent an email to certain of the Organization?s employees that contained an attachment through which the individual appears to have gained unauthorized access to the employees? email accounts. The email accounts contained certain personal information about individuals who have transacted business with the Organization. The Organization discovered the incident on October 24, 2018, after identifying unauthorized emails sent from an employee?s email account. The Organization?s investigation found that an unauthorized user(s) gained …
P2019-ND-007

PetSmart, Inc.

The Organization?s third-party vendor hosts a website allowing customers to enrol to receive text messages (http://petsmartmobile.hit2c.com/us/join). The website encountered a vulnerability that allowed unauthorized access to telephone numbers of customers that were identified as Alberta residents, between August 12-16, 2018. The vendor addressed the issue on August 16, 2018 ensuring the website’s security. This incident did not impact any other of the Organization?s websites or e-commerce platforms. The incident affected individuals (customers) that enrolled to …
P2019-ND-006

Aramark Canada Ltd.

On March 30, 2018, an employee of the Organization went through a supervisor?s desk (without permission) and found a wage rate sheet for fellow employees. The employee informed his supervisor during a telephone conversation later that day to say the wage rate sheet was on the desk. The supervisor asked the employee to put the document inside the desk. Unbeknownst to the supervisor, the employee took a photo of the wage rate sheet and shared …
P2019-ND-005

Anglo American Services (UK) Limited

OageUp People Ltd. (PageUp) provides recruitment support services to the Organization and acts as the Organization?s data processor. PageUp provides a hosted platform through which candidates view and apply for job vacancies in the Organization. On June 6, 2018, the Organization became aware (via a press article) of a security incident affecting the PageUp platform. On June 12, 2018, PageUp confirmed that the incident involved a cyberattack to gain unauthorized access to PageUp?s IT systems …
P2019-ND-004

Rifco National Auto Finance Corporation

On January 12, 2018, an unidentified woman contacted the Organization and identified herself as the sister of a client of the Organization. The caller said her sister was in the hospital, and the caller wanted to make a payment on her sister?s behalf. The Organization?s agent had no authorization to provide information to the caller, and did not. On January 24, 2018, the Organization confirmed the client?s address had changed. On January 30, 2018, the …
P2019-ND-003

Teck Resources Limited

On February 27 and 28, 2018, the Organization mailed T4s to former employees. In some cases, due to a faulty setting on an envelope stuffing machine, two T4s were put into each envelope. The incident was discovered on March 2, 2018 when three former employees reported receiving another person?s T4 with their T4. At the time of reporting the incident, the Organization did not know how many envelopes were stuffed by the machine, how many …
P2019-ND-002

Hairbow Center, LLC

On September 26, 2018, the Organization was informed by Shopper Approved, LLC (a third party vendor that provides rating and review services) that a malicious actor modified computer code maintained by Shopper and linked to an image of the Shopper seal which the Organization displayed on its website.The modified computer code was designed to capture payment card information entered on the Organization?s website and was active from 12:35 a.m. EDT on September 15, 2018 to …
P2019-ND-001

RBC Life Insurance

On November 14, 2018, an individual that works for a third party supplier to the Organization (a laboratory that performs medical exams) had their vehicle vandalized and the information at issue was stolen, along with a cooler containing a specimen of blood and urine. The incident occurred in Calgary, Alberta. The incident was discovered the same day.
P2018-ND-169

Pleasant Solutions Inc.

On September 6, 2017, the Organization?s CEO found a USB keylogger on his computer. The Organization reported the matter to law enforcement, and commenced an investigation. On October 6, 2017, an employee with the Organization was arrested, his equipment was seized and cloud data copied. The investigation found that the employee accessed the CEO?s computer remotely on September 25, 2017 using a password obtained with the keylogger. Employee files were copied from the CEO?s computer.
P2018-ND-168

Microtel Inn & Suites

On or about August 7, 2018, guests staying at the Organization?s location in Blackfalds, Alberta, entered a storage room and stole paper records as well as a number of other items. The Organization became aware of the theft when they were contacted by the RCMP on August 26, 2018, after the RCMP found records belonging to the Organization in an abandoned vehicle along with other stolen items. The stolen records date from January to April …
P2018-ND-167

New Horizon Car & Truck Rentals Ltd., o/a Discount Car Truck Rentals

Between 5am and 6:30 am on August 22, 2018, one of the Organization?s Calgary locations was broken into and robbed. Five vehicles were stolen as well as paperwork containing the information at issue. The incident was discovered later that same day by employees.
P2018-ND-166

Best Buy Canada Ltd.

On or around August 24, 2018 the Organization sent a customer?s hard drive to a third party data recovery company. The hard drive was lost in transit, along with a copy of an in-store sign-in form which is used to record the terms and details of the requested service and the customer’s information. The incident was discovered on October 3, 2018. The hard drive and form have not been recovered.
P2018-ND-165

AGF Investments Inc.

As a result of a programming issue with an automated tax receipt mailing application that was implemented in 2016, tax receipts issued for estate accounts with multiple recipients (deceased, executors, and beneficiaries) were consolidated into a single mailing address for each account, instead of separated by individual recipient address and mailed accordingly. This resulted in one recipient receiving all of the tax receipts for the estate settlement of such accounts, instead of tax receipts being …
P2018-ND-164

Sun Life Assurance Company of Canada

From June 21, 2018 to August 24, 2018, the Organization discovered 36 fraudulent attempts made by individuals who called the Customer Service Centre to obtain login information and/or withdraw funds from client accounts. These individuals impersonated actual clients when attempting to obtain access to a client account for financial gain. The Organization stopped all attempts to withdraw funds except for one which resulted in a fraudulent withdrawal.
P2018-ND-163

Hudson’s Bay Company

Around July 1, 2017, malware began running on certain point of sale systems at potentially all Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor locations in North America. The malware was designed to collect customer payment card information. The breach was discovered on March 29, 2018. The Organization contained the issue on March 31, 2018, and believes it no longer poses a risk to customers shopping at its stores.
P2018-ND-162

Cassels Brock & Blackwell LLP

On August 21, 2018, an unidentified party gained access to the email account of an employee of the Organization. Between August 21 and August 22 the unidentified party sent phishing emails to third parties, and likely ex-filtrated the contents of the employee?s email account. The Organization discovered the breach on August 22, 2018, when clients who had received the phishing email started to question if it was legitimate. The Organization said the suspected cause of …
P2018-ND-161

Calgary Co-operative Association Limited

On March 28, 2018, a customer of the Organization received an anti-virus alert notifying him of an attempt to download malicious software to his computer when he visited the Organization?s website. The customer notified the Organization. The Organization investigated and, on April 3, 2018, discovered unauthorized modification of the website ?shop.coopwinespiritsbeer.com?, which was formerly ?www.yycwinedeals.com? and still redirected from that URL. The Organization said the only authorized administrators of the site are its IT team …
P2018-ND-160

HSBC Investment Funds (Canada) Inc.

On February 20, 2018, the Organization mailed T4RIF and T4RSP forms to beneficiaries and estate executors of deceased customers. On February 26, 2018, a customer attended one of the Organization?s branches to return a T4RIF tax form listing inaccurate information. On February 28, 2018, the Organization determined a manual printing error led to the co-mingling of customer and non-customer personal information on T4RIF and T4RSP forms. The correct forms and misaligned forms were combined and …
P2018-ND-159

RBC Life Insurance

On October 5, 2018, a copy of the client?s claim file was sent from a third party supplier via courier to the Organization; however, it never reached its destination. The incident was discovered on November 7, 2018, when the Organization followed up with the third party supplier after approximately a month from the date the file was requested.
P2018-ND-158

IDC Worldsource Insurance Network Inc.

On October 4, 2018, the Organization hosted an educational event for insurance advisors at an Edmonton golf club. More than 60 advisors attended. An advisor attending the event handed an employee at the event registration table a sealed envelope containing client paperwork and asked the employee to transport the paperwork to the Organization?s office. The employee left the venue after the event without taking the sealed envelope. On October 15, 2018, the advisor contacted the …
P2018-ND-157

WFG Canada Inc.

On October 23, 2018, an agent’s car was broken into and her laptop (password protected) containing personal client information was stolen. The incident was discovered the same day by the agent when she returned to her car and noticed her laptop bag containing her laptop was stolen. The Organization reported that the ?car was locked and the laptop that was stolen was password protected?.
P2018-ND-156

Morneau Shepell Ltd.

Between August 29 and September 5, 2018, the Organization was subject to a targeted email phishing attack that resulted in an unknown third party briefly gaining access to the email accounts of two of the Organization?s employees and using those accounts to send out further phishing emails. The Organization has determined that through a subsequent investigation that an employee clicked on a malicious link contained within a phishing email that linked to a credentials harvesting …
P2018-ND-155

YWCA of Calgary

On September 19, 2018, an employee sent an email to HR about changes to a current employees work schedule and pay rate. The employee also included another employee, not in HR, and who should not have received the information. The incident was discovered the same day when the employee who received the email in error emailed her manager to let her know of the incident.
P2018-ND-154

Casper Sleep Inc.

The Organization learned that a server containing customers past order details could be accessed from the internet between May 5, 2016 and April 11, 2018. The Organization investigated and found that the incident was caused by an error in the server configuration. On July 12, 2018, Casper discovered that certain customer information may have been obtained by unauthorized individuals. The impacted server contained information about orders customers placed between April 1, 2016 and May 5, …
P2018-ND-153

Mertex Canada Ltd.

On August 31, 2018, an employee of the Organization sent an email communication to two other employee. The sender maintains authorized access to employee personal information for purposes of fulfilling his job functions. The recipients, however, were not authorized to receive the compensation information The Organization learned of the incident on August 31, 2018.
P2018-ND-152

Hudson’s Bay Company

On August 12, 2018, the Organization?s third party service provider, Vibes Media, LLC, reported that an unauthorized third party was able to gain access to the service provider?s web application and obtain a copy of contact information of certain (but not all) customers of the Organization who were enrolling to receive marketing messages via text on their mobile devices. The unauthorized third party obtained a copy of database records that contained the information at issue. …
P2018-ND-151

Sun Life Assurance Company of Canada

On June 26, 2018, an employee of the Organization emailed a beneficiary designation form to a client. The form was pre-filled with the first and last name of the recipient, and the date of birth, telephone number and two policy reference numbers belonging to another client who shares the same first and last name. The incident was discovered on July 11, 2018 when the unauthorized recipient emailed his advisor to report the error.
P2018-ND-150

Trisotech Computer Consulting Services Inc.

On March 20, 2018, a partner with the Organization received an email requesting invoice payment from an employee. After verbal verification with the employee and his boss, the Organization realized something was wrong. An internal investigation revealed the Organization had paid a fraudulent invoice on March 12, 2018 and an unauthorised party may have gained access to the Organization?s customer management system (CRM system) through one of its employee?s accounts. The unauthorized party may have …
P2018-ND-149

SMS Equipment Inc.

On August 27, 2018, a Supervisor with the Organization opened the cabinet in his office to retrieve a notebook containing the personal information at issue; however, the notebook was missing. The notebook was last seen on August 24, 2018 and is believed to have gone missing on or around August 26, 2018. The Organization believes the notebook may have been stolen.
P2018-ND-148

Kids U Inc. (Walden)

Between March 10-12, 2018, the Organization?s office was broken into. The Organization?s television, printer and laptop were stolen. The laptop was encrypted with a password, but contained personal information of staff and children. The Organization is not sure if the password used was strong given that the employee who would have set the password is no longer with the Organization.
P2018-ND-147

NAL Resources Management Limited

The Organization reported that ?A Breach of three Outlook 365 accounts occurred. One of the accounts contained personal information which may have been accessed by unauthorized individuals.? The incident occurred between September 11-28, 2018. The breach was discovered on October 4, 2018 by review of a system log of risky sign-ins on an account which generated further investigation by the Organization?s IT team. Three accounts with abnormal sign-ins were identified.
P2018-ND-146

Hitachi Vantara Corporation

The Organization reported that it discovered that a third party may have gained access to an internal email account and that this ?may have resulted in unauthorized access to the personal information of 3 Alberta residents.? The incident occurred on or after September 10, 2018 and ended October 4, 2018. The breach was discovered on October 3, 2018 by an employee upon realizing that email had been sent from an internal email account by an …
P2018-ND-145

Plant Therapy, Inc.

On May 11, 2018, the Organization learned of a potential data security incident involving the unauthorized installation of malware on the ecommerce web platform of its third-party provider. The malware created an iframe overlay designed to capture billing details entered by the customer during the shopping cart checkout process. The incident potentially exposed the payment card information of individuals who made purchases on the ecommerce website between March 29 and May 11, 2018. On July …
P2018-ND-144

Ivari Canada ULC

On July 24, 2018, the Organization mailed a letter containing the information at issue to a doctor’s office. The address was incomplete (no suite number). When the letter was not received at the doctor?s office, the Organization was asked to track it, but has not been able to locate the letter. The breach was discovered on August 2, 2018.
P2018-ND-143

1st Choice Savings and Credit Union Ltd.

On July 4, 2018, an employee of the Organization intended to send an email with three PDF attachments to the Compliance department to verify ATM deposits. Inadvertently, the email was sent to a non-employee, along with other staff members. The email was not encrypted or password protected. Attempts were made to recall the message through Outlook, but were not successful. The Organization made multiple attempts (through email, telephone and facebook) to contact the unintended recipient. …
P2018-ND-142

Nordstrom, Inc.

The breach involved a contract worker accessing employee data and downloading the data onto a USB key in violation of the Organization’s security policies. The key containing the data was retrieved from the contract worker and the Organization considers that the breach has been contained. The breach happened on October 9, 2018 and was discovered the same day.
P2018-ND-141

Tyrell Inc. o/a Zentrum

On September 26, 2018, the Organization discovered that a website it owned and operated (www.quinetrentals.com) had been accessed by an unknown party. The website is an application platform; people use the website to apply for rental accommodations. The unknown party downloaded the personal information of people who has used the website between December 5, 2005 and September 19, 2018 and threatened to publish the information unless a ransom was paid. The Organization paid the ransom. …
P2018-ND-140

Civeo (Civeo Services Employees LP)

The Organization reported that ?Employees responded to phishing email resulting in compromise of email accounts?. In its notification to affected individuals, the Organization said the incident ?occurred between October 4 and October 10, 2018. Unknowingly, 14 employees responded to a Phishing email scheme that resulted in a compromise of their email id and password. An unknown party, located in Egypt, had access and logged into these 14 employees [sic] email accounts and that access ranged …
P2018-ND-139

Troy Janzen Psychological Services

he Organization is a sole practitioner psychologist. On June 29, 2018, a password protected laptop computer was stolen from a vehicle outside his home. The laptop was protected by a password but the hard drive was not encrypted. The laptop contained a desktop Dropbox application on which various electronic client files were stored, some of which were protected using Microsoft Word?s ?encrypt with password? feature. Some files were PDF documents and were not further encrypted …
P2018-ND-138

Safway Services Canada

On August 28, 2018, an employee with the Organization noticed that 15 boxes containing payroll files were missing from the centralized storage room. The Organization became aware that the boxes were missing because there was an obvious gap where the boxes should have been. The Organization believes the boxes contained employee files for employees whose employment was terminated in 2011 and 2015. On August 30, 2018, the Organization discovered that 2 boxes containing invoices and …
P2018-ND-137

Radisson Hospitality Inc.

On September 11, 2018, a malicious user account was created by an attacker who used stolen credentials to access the system administrator functionality in the customer service application on systems operated and maintained by the Organization. On October 1, 2018, the Organization activated its Incident Response procedures and the malicious use connectivity was promptly revoked. The malicious activity was detected through automated behavioral analytics on September 25, 2018. Prior to that date, the unauthorized activity …
P2018-ND-136

Eveline Charles Academy Inc.

On the morning of September 13, 2017, a staff member sent an email to 30-40 of the Organization?s student body and staff advising the recipients of a promotional offer and entitled ?Dermalogica 55% off!?. A 17-page attachment was inadvertently attached to the email, which contained the information at issue. The attachment was not encrypted. The incident was discovered the same day when one of the recipients noticed the error.
P2018-ND-135

ATB Financial

On August 11, 2018, an Organization team member (employee) was at a gym when her locker was broken into. The thief stole the team member?s wallet and keys. The thief used information in the wallet and keys to gain access to the team member?s home where they stole a work laptop bag which contained customer information, as well as an organization-issued laptop and cell phone. The cell phone was recovered on the side of highway …
P2018-ND-134

Apple Canada Inc.

An external party may have phished one of the Organization?s employee?s credentials and queried the central system that stores iTunes customer account information. The Organization reset the credentials used by the external party upon discovery of this incident, thereby terminating the external party’s ability to access the system containing iTunes customer account information. The third party was able to access the account information for 2 individuals in Alberta prior to the termination of their access …
P2018-ND-133

The Presbyterian Church in Canada

The Organization contracts with Eckler Ltd. to develop and host its pension administration system. On June 13, 2018 , Eckler advised the Organization that an internal audit of its privacy practices revealed that it had inadvertently disclosed the personal information of certain of the Organization?s members in two separate incidents. The first incident occurred on November 18, 2011 when six (6) copies of a response to a client request for proposal were sent out that …
P2018-ND-132

Ebbs, Roberts, Head & Daw Inc.

On or about July 27, 2018, the Organization discovered that a data security incident may have affected some of its files, which included personal information. Based on its investigation, the Organization believes a phishing attack may have been the cause of a compromise to its information systems resulting in access to personal information. The breach was discovered July 27, 2018 when clients notified the Organization ?that fraudulent tax return was [sic] filed in their name.?
P2018-ND-131

L?LL?baby

In June of 2018, the Organization learned of a potential data security incident involving the unauthorized installation of malware on its e-commerce web platform. It appears that payment card information may have been affected for customers who used the Organization?s website from June 2016 until July 9, 2018.
P2018-ND-130

CDN Controls Ltd.

The Organization received a telephone call from a former employee alleging that his dates of employment were given to his ex-spouse by one of the Organization?s Managers, without the former employee?s knowledge or consent. The former employee found out about the matter when the court reviewing his divorce proceeding had a copy of his work schedule, printed on the Organization?s letterhead. The former employee had not given permission for the Organization to disclose the information. …
P2018-ND-129

AVI-SPL Canada, Ltd.

A former employee requested his personal information from the Organization. The Organization obtained the information from its contracted third-party payroll provider, but did not realize the documents provided included the personal information of other former and current employees. On May 29, 2018, the Organization emailed the document containing the personal information of other employees to the former employee who had requested his own personal information. The breach was discovered the same day when the former …
P2018-ND-128

Universal Rail Systems

During a routine payroll systems upgrade, a new system folder provided by a third party vendor was installed by the Organization?s IT department. The system generates automatic emails to employees with their T4s. The Organization tested the system before releasing T4s. However, after releasing the first department?s T4s, the payroll department reviewed a sampling of emails and discovered that each employee received only one T4 statement instead of two duplicates, and every second employee received …
P2018-ND-127

Northbridge General Insurance Corporation and Federated Insurance Company of Canada

On May 25, 2018, an employee in the Organization?s Toronto office received a phishing email from a known and trusted business partner whose system had been exploited by an outside party. The phishing email convinced the employee to provide her email login credentials, which resulted in the outside party gaining unauthorized access to the employee’s email account on June 12, 2018. Once the outside party gained unauthorized access, they changed the employee’s email configuration to …
P2018-ND-126

Quality Credit Services Limited (doing business as Quality Credit Reporting)

The affected individuals are prospective franchisees of a franchisor who retained the Organization to provide credit reports in connection with the credit applications of those prospective franchisees. The prospective franchisees are spouses. On August 28, 2018, an employee of the Organization emailed the prospective franchisees to advise that the franchise credit applications had been received and that the credit report process was underway. The employee attached the prospective franchisees? credit applications to the email. Even …
P2018-ND-125

Bombas, LLC

The Organization experienced a security incident on its website due to malicious code in its third party e-commerce platform used for payment card purchases. The malicious code was initially identified and disabled from the website on January 15, 2015, and, after an inadvertent reintroduction, the malicious code was disabled on February 9, 2015, with remediation activities ending on February 25, 2015. In the course of a 2018 review of its privacy and cybersecurity program, the …
P2018-ND-124

McAfee Ireland Ltd.

The Organization offers a computer support service, TechMaster, through a vendor based in India. On or around June 2016, the Organization was made aware that some TechMaster customers were receiving telephone calls from one or more individuals falsely claiming to represent TechMaster. The caller(s) claimed that the customer owed additional fees, was owed a refund, had been over-refunded, or was experiencing issues with their account all with the objective of social engineering financial gain. In …
P2018-ND-123

CIBC World Markets, a reported by Canadian Imperial Bank of Commerce

On July 26, 2018, CIBC learned that one of its vendors was contacted on May 25, 2018 by an unknown third party using an untraceable email account who claimed to have found information related to the vendor on the dark web. CIBC was advised that the information included certain personal information of individuals that are current or former employees or individuals that have previously applied for employment. There is one impacted individual who resides in …
P2018-ND-122

Alpha Industries, Inc.

On August 25, 2017, the Organization learned that its third-party digital commerce platform provider, Aptos Inc., had experienced an intrusion. The intruder(s) accessed the digital commerce platform and may have acquired certain personal information of customers who manually entered their payment card details on the Organization?s website between July 6, 2017 and August 9, 2017. On September 8, 2017 and again on October 17, 2017, the service provider gave the Organization information regarding potentially affected …
P2018-ND-121

FastHealth Corporation

On November 2, 2017, the Organization received a report from law enforcement indicating that an unauthorized third party may have accessed or acquired certain information from the Organization?s databases. The Organization?s investigation found that from August 14, 2017 to August 18, 2017, an unauthorized third party accessed the Organization?s web server.
P2018-ND-120

Feld Entertainment, Inc.

Beginning on or about May 28, 2018, the Organization identified suspicious email activity related to a phishing email sent to certain of the Organization?s employees. The Organization investigated, and, on June 21, 2018, determined that there had been unauthorized access to certain of the Organization?s employee email accounts. The Organization later confirmed that unauthorized access occurred between April 5, 2018 and June 29, 2018. To date, the Organization has no evidence of any actual or …
P2018-ND-119

Sun Life Assurance Company of Canada

On July 27, 2018, an advisor with the Organization left a bag containing 12 insurance contracts in a locked car at her residence. On July 28, 2018, the advisor found the vehicle had been broken into and the bag stolen, along with a few personal items The breach was reported to the Organization?s Calgary Financial Centre on July 30, 2018.
P2018-ND-118

Envision Property Management Ltd.

In June 2018, thieves broke in to the group mailbox at a residential condominium property the Organization manages and stole mail from a number of mailboxes including one individual?s new credit card. The Organization?s office was subsequently contacted by telephone by a person who identified himself as being with the Calgary Police Service. The caller requested a telephone number and email address for an occupant of the condominium property (the individual whose credit card had …
P2018-ND-117

Rail Europe SAS (France)

ln mid-2017, thru PHP code injection, an attacker was able to gain access to Organization?s front-end web servers and install spyware in order to collect data entered by customers on the Organization?s website. The data encryption in place between the Organization?s web browsers and servers did not protect the customer information from the attacker due to the method of attack. The incident occurred between June 15, 2017 through February 16, 2018. The incident was discovered …
P2018-ND-116

Rail Europe North America Inc.

As a result of queries from one of the Organization?s banks, the Organization commenced an investigation of its ecommerce websites, which are used by persons outside of the EU to purchase rail passes for use in EU countries. Specifically, the Organization?s parent company, Rail Europe SAS (France), which operates the IT platform to which the Organization migrated its ecommerce websites, engaged two forensic analysis and security auditing firms to investigate. To date, the investigation has …
P2018-ND-115

Investors Group Financial Services Inc.

On December 1, 2017, the Organization was broken into. Several laptops of employees and one paper file in a briefcase were stolen. The thieves broke into a fireman?s access box located on the outside of the building and used the contents from the access box to get into the building. The firebox belonged to the landlord of the building. The incident was discovered by staff upon arriving for work. The Organization said the stolen laptops …
P2018-ND-114

Nissan Canada Finance

On December 11, 2017, the Organization received an extortion demand from an unknown person(s) claiming to have gained access to the personal information of the Organization?s customers. The Organization investigated and discovered there was an unauthorized access to certain of its servers that held personal information of Canadian customers who financed their vehicles with the Organization. The Organization also determined no payment card information was affected. The Organization determined that there is no indication of …
P2018-ND-113

Plow and Hearth, LLC

The Organization uses a third party service provider, Aptos, Inc., to provide a digital commerce platform that functions as the back-end for the Organization?s online stores. On August 24, 2017, Aptos notified the Organization that there had been a remote access intrusion that resulted in unauthorized access to online transaction data information provided by customers of the Organization. The Organization reported that, according to Aptos’ investigation, the intrusion began on approximately July 22, 2017 and …
P2018-ND-112

Westcorp Inc.

On June 23, 2017, the Organization?s IT department became aware of a cyberattack on its servers. The attack encrypted the network and compromised the functionality of the Organization?s systems, including its redundant backups. The attackers demanded ransom payment to unencrypt the affected files. On June 26, 2017, the virus was contained, email functionality restored, and telephone lines temporarily forwarded to alternate numbers. Restoring software functionality took more time.
P2018-ND-111

Now in Colour Psychological Services Inc.

On May 4, 2018, the Organization sent an email to an insurance company’s general email address with the intent of submitting an invoice for a client. On July 31, 2018, the Organization discovered that the document attached to the email was about another client. The incident was discovered when an employee of the insurance company investigated the Organization?s request for information about payment of an invoice. The situation became more complex when the insurance company …
P2018-ND-110

World Financial Group Insurance Agency of Canada Inc.

On May 30, 2018, an agent of the Organization sent email correspondence to a client’s personal email address as well as an unknown party who had a very similar email address. This email correspondence included the information at issue, which was being sent to the client for record keeping purposes. On May 31, 2018, the unknown party reported the error to the Organization.
P2018-ND-109

Canopy Growth Corporation

The Organization uses a third party service provider, Typeform S.L. (a Barcelona-based online software as a service company), to collect marketing data. The Organization reported that it ?on June 22, 2018?, Typeform informed the Organization that ?On June 27, 2018, our engineering team discovered that an unknown third party gained access to our server and downloaded certain information, including some of the data your respondents provided via Typeform.? The Organization said that subsequently, on July …
P2018-ND-108

Millennium EMS Solutions Ltd.

On September 1, 2016, the Organization?s IT Helpdesk received reports of a malfunctioning IT server system. After investigation, it was determined that the system ?had been hacked by external hackers on July 5, 2016?. The unauthorized access to the server was through a default user account in the system. Unauthorized software was downloaded that was not compatible with the system.
P2018-ND-107

Mountain Equipment Co-operative

On or about April 11 and 12, 2018, the Organization detected a significant number of attempted log-ins to its website, www.mec.ca, originating from a botnet. The botnet attempted to log into the website using numerous email addresses and passwords, which were not obtained from the Organization. More than 99% of the log-in attempts were unsuccessful because the email addresses were not known to the Organization. The Organization is unable to confirm precisely how many of …
P2018-ND-106

Fountain Tire Ltd.

On two separate occasions, associates with the Organization clicked on phishing emails and entered their credentials, enabling an unknown individuals(s) to gain access to their email accounts. The incidents took place on April 5, 2018 (discovered the same day) and April 16, 2018 (discovered the next day). The Organization?s investigation revealed that both compromised email accounts contained personally identifiable information of certain associates of the Organization. The Organization has no evidence that the unauthorized individual …
P2018-ND-105

WealthBar Financial Services Inc.

The Organization engaged an online survey service provider based in Barcelona, Spain, Typeform, to distribute surveys to clients and prospects. Typeform gathered survey responses and provided them to the Organization for integration into the Organization?s own systems. Typeform maintained copies of survey responses on its cloud-based servers. On June 29, 2018, Typeform advised the Organization that an unknown third party gained access to its back-up systems and downloaded certain information collected from the Organization?s clients …
P2018-ND-104

Vancouver Canucks Limited Partnership

The Organization reported that the ??incident happened at a company that provides online surveys that are sometimes used in our ?online portal for season tickets renewal. IOMedia, which is owned by Ticketmaster and runs the online portal, advised that as a result of an incident at the online survey company, known as Typeform, some of the answers entered in surveys during the season ticket renewaI process may have been compromised?. The Organization reported that ?Typeform …
P2018-ND-103

United Nurses of Alberta

On July 22, 2018, an unknown individual broke into the Organization?s locked office in Red Deer and stole a desktop computer, back-up drive, and a password book. The incident was discovered on July 22, 2018 after the building’s security alarm went off and RCMP were dispatched. The desktop computer was encrypted and password-protected and part of the Organization?s disablement system. Once the desktop “pinged” on Sunday, July 22nd, 2018, the Organization was able to disable …
P2018-ND-102

Moore Stephens Tiller, LLC

On or around April 9, 2018, the Organization became aware of suspicious activity relating to an employee’s email account, possibly related to a malicious phishing email. The Organization investigated, and determined that an unknown individual accessed the email account of an employee on April 6 and April 9, 2018. The investigation was unable to determine which email messages may have been seen or taken by the unauthorized individual.
P2018-ND-101

SBE ENT Holdings, LLC

On or about June 6, 2017, the Organization was notified by its service provider, Sabre Hospitality Solutions (Sabre), that an unauthorized party gained access to certain Sabre account credentials. This permitted unauthorized access to unencrypted payment card information and select reservation information for certain reservations processed and stored on Sabre’s central reservations system (CRS). Sabre facilitates the booking of hotel reservations by guests, including for some hotels that are owned, licensed, or managed by the …
P2018-ND-100

Beaumont Credit Union Ltd.

On July 17, 2018, fraudulent impersonators contacted the Organization via telephone to obtain access to the on-line banking of a credit union member. The contact center agent failed to engage adequate safeguards to verify the identity of the caller. The agent assisted the caller in changing passwords and granting access to the member’s on-line banking portal. The perpetrator attempted to fraudulently transfer funds on three occasions. The first occasion was successful and a transfer was …
P2018-ND-099

LA Fashion Enterprise Ltd.

On June 4, 2018, the Organization was made aware that anomalous software had been installed on its server. On June 28, 2018, the Organization?s technical investigators confirmed the software had the capability to enable the intruder to gain access to customer databases containing personal information provided by customers when making online orders, and to intercept credit or debit card details at the point of sale. The unauthorized access is believed to have taken place between …
P2018-ND-098

PricewaterhouseCoopers LLP

On July 13, 2018, two individuals burglarized the Organization?s premises in Edmonton. A number of personal items were stolen items along with documents containing the information at issue. The incident was discovered on July 14, 2018, when employees discovered items were missing and there appeared to have been a break in.
P2018-ND-097

Beauty Express Canada Inc. D/B/A The Lice Crew

On February 13, 2018, a client contacted the Organization to report that she had searched her mobile phone number in Google and discovered that her and her child?s appointment information with the Organization, including her name, her child?s name, her phone number and information she had provided during the call to book the appointment, were published on Google. The Organization?s IT department immediately investigated and rectified the issue. At the time of the breach, the …
P2018-ND-096

Helly Hansen AS

During a scan by the Organization?s e-commerce service provider of its client sites, it was discovered that malware had been embedded on the hellyhansen.com e-commerce website.As a result of this malware, payment card information collected from April 20 – 26, 2018 and May 2 – 14, 2018 may have been compromised. The incident was discovered through monitoring conducted by the third party vendor (Magenta Inc.), who services the platform. The malware was identified on May …
P2018-ND-095

DIRTT Environmental Solutions

In or around August 2017, an unauthorized forwarding rule was installed on the Outlook mailbox of the Organization?s internal legal counsel. As a result, copies of all incoming emails were forwarded to an unauthorized third-party Gmail account. The incident was likely the result of a phishing attack. The investigation revealed that approximately 17,000 emails were transferred over a ten (10) month period. Of those, approximately 800 documents were identified as potentially containing some form of …
P2018-ND-094

Tommie Copper Inc.

The Organization was contacted by representatives of the credit card industry regarding potential fraud related to credit cards used on the Organization?s website.The Organization investigated and, on or about June 1, 2018, confirmed that a piece of malware had been inserted into the Organization?s website that collected payment information used at checkout. Certain payment information used by customers on the website was subject to unauthorized access from November 10, 2017 through January 5, 2018 and …
P2018-ND-093

JYSK Canada

On June 29, 2018, an employee of the Organization received a suspicious email from a random domain that looked like a phishing email and contained the address of one of the Organization?s physical locations. The employee shared the information internally with the e-commerce team, and reported the email to the information technology department. The Organization?s investigation indicates that an unauthorized person gained access to the back end of the e-commerce platform remotely, and placed a …
P2018-ND-092

Product Madness, Inc.

On Tuesday, May 15, 2018, the Organization?s San Francisco, California office was broken into and certain property was stolen, including fourteen (14) company laptops. The Organization believes that certain personal information was stored on the stolen devices. The Organization does not have any evidence that the information on the stolen laptops has been accessed or used. The Organization reports that ?Based on the findings of the investigation to date, the theft appears to be motivated …
P2018-ND-091

West Coast Reduction Ltd.

On October 23, 2017, a user at the Organization?s Head Office received a malicious phishing email from a trading partner correspondent. The Organization understands that the trading partner was tricked into disclosing his email credentials and many or all of his contacts were then sent a copy of a malicious email. The user who received the email also disclosed their credentials to the sender of the phishing email. Subsequently, one more user with the Organization …
P2018-ND-090

Northbridge General Insurance Corporation

On March 6, 2018, an employee in the Organization?s Toronto office received a phishing email from a known and trusted business partner whose system had been exploited by an outside party. The phishing email convinced the employee to provide his email login credentials, which resulted in the outside party gaining unauthorized access to the employee’s email account. The outside party used access to the employee’s email account to send phishing emails to the contacts in …
P2018-ND-089

IKEA Canada Limited Partnership

Between February 12, 2018 and February 15, 2018, the Organization received calls from thirteen (13) customers reporting that an alleged employee of the Organization had telephoned them with information relating to delivery, mattress pick-up, or a refund. The Organization has no record of the named employee and no calls were authorized or condoned by the Organization. In twelve (12) of the cases reported, the individual stated that in order to reschedule a delivery or mattress …
P2018-ND-088

TAWS Security

On July 18, 2018, an employee of the Organization sent an email to 17 employees asking them to complete attached benefit forms. Inadvertently, the forms that were attached contained completed documents with the information at issue for 14 other individuals. The employee quickly realized the error and tried to retract the email but was unsuccessful. The unauthorized recipients were told to disregard the email.
P2018-ND-087

Imperial Oil Limited

The Organization?s EssoExtra Loyalty Program mobile application, which is hosted and managed externally by the Organization?s third party vendor, Exchange Solutions International, was the focus of an attack by an unknown third party. As a result, loyalty program member accounts were accessed by a third party, allowing a perpetrator to redeem points for merchandise and gift cards in BC and Alberta. The unauthorized activity occurred between February 11, 2018 and March 22, 2018 and was …
P2018-ND-086

Sun Life Financial

On November 15, 2016, an employee of the Organization inadvertently sent a client a pdf file containing his own coverage summary along with those for 28 other clients. A second client was inadvertently emailed a pdf file containing his own coverage summary along with those for 56 other clients. The first recipient reported the error to his Plan Sponsor on January 11, 2017. The Plan Sponsor informed the Organization on the same date. The second …
P2018-ND-085

Write-On Stationery Supplies Inc.

On May 9, 2017, Pixel Army contacted the Organization to advise that there had been an intrusion. On May 10, 2017, Pixel Army identified that there was evidence of credit card skimming on the website. The Organization understands that Pixel Army became aware of the intrusion on May 5, 2017 and investigated with the assistance of a third party. The investigation determined an intruder had accessed the server and installed malicious software and server back …
P2018-ND-084

Discovery Time Preschool Ltd.

Sometime between the afternoon of October 13, 2017 and October 16, 2017, one of the Organization?s emergency backpacks went missing. The incident was discovered on October 16, 2017 when a teacher went to retrieve the backpack from its regular location and it was not there. It is possible the backpack was mistakenly left outside at a playground at the end of the day on October 13, 2017. The backpack contained paper copies of the Organization?s …
P2018-ND-083

La Coop f?d?r?e

On March 5, 2018, the Organization received a phishing email from a company that had an existing business relationship with the Organization. The company had itself been compromised. The phishing email was primarily blocked by the Organization?s anti-spam filter; however, one (1) user who received the email clicked the link displayed and several emails were sent from his mailbox leading three recipients to also click the link and provide their authentication information. Three email accounts …
P2018-ND-082

Roberts Hawaii, Inc.

The Organization received reports from several customers of fraudulent charges appearing on their payment cards shortly after they were used to make a purchase on the Organization?s website. The Organization engaged a cybersecurity firm to investigate. The investigation determined that an unauthorized person gained access to the web server for two of the Organization?s websites and installed code that was designed to copy information entered during the checkout process. Information from purchases made between July …
P2018-ND-081

R.C. Purdy Chocolates Ltd.

The Organization uses a third party service provider, Aptos, Inc., to provide e-commerce services enabling the Organization?s customers to order and purchase goods using an internet website.The Organization was informed of the breach in a letter dated February 7, 2017, from its service provider Aptos. Aptos reported to the Organization that it became aware of anomalous activity on its systems on or about November 28, 2016. Aptos investigated and found that the intrusion began in …
P2018-ND-080

Affy Tapple, LLC operating as Mrs. Prindables

The Organization uses a third-party company, Aptos, Inc., to operate and maintain the technology for website and telephone orders. Specifically, Aptos provides a digital commerce platform that functions as the back-end for the Organization?s online store, as well as its order management system. On February 6, 2017, Aptos advised the Organization that unauthorized person(s) electronically accessed and placed malware on Aptos’ platform holding payment card transaction information for about 40 online retailers. According to Aptos, …
P2018-ND-079

Servus Credit Union Ltd.

On March 2, 2018, one of the Organization?s members raised a concern with a Branch Manager regarding a payment made to an unfamiliar credit card. The Branch Manager engaged the Corporate Security Department to investigate the matter. The investigation found that an employee of the Organization improperly accessed two unrelated bank accounts for reasons unrelated to his/her job tasks. In both cases, the members suffered a financial loss. The unauthorized access occurred between January 18, …
P2018-ND-078

Orica Australia Pty Ltd.

On June 1, 2018, PageUp, a third party, cloud-hosted system that the Organization uses for online recruitment, sent its customers a generic email advising that PageUp detected unauthorized activity in its system on or around May 23, 2018. The email provided all users with notice that an investigation was occurring but did not specifically indicate that any information relating to the Organization was accessed or otherwise compromised. On June 12, 2018, PageUp issued a statement …
P2018-ND-077

SSAB Swedish Steel, Ltd.

On March 28, 2018, an employee of the Organization unintentionally disclosed payroll information of other employees to a former employee who had requested their own tax documents. The incident was the result of human error, whereby the employee attached a document to an email sent to the former employee. The Organization learned of the incident on April 2, 2018 when a current employee reported it, after having been contacted by the former employee. Later the …
P2018-ND-076

Luxury Retreats

On March 22, 2018, the Organization learned that an unknown individual had gained access to an employee’s corporate email account and used the employee’s account to create and send spam emails. The Organization did not identify any evidence that emails stored in the employee’s account were viewed, but could not eliminate the possibility. The Organization identified unauthorized access to the email account between September 7, 2017 and March 22, 2018.
P2018-ND-075

The Coca-Cola Company

On September 1, 2017, the Organization was informed by US law enforcement officials that a former US-based employee of a subsidiary of the Organization was found in possession of an external hard drive containing information that appeared to have been misappropriated from the Organization. The precise date and time of the removal of the information from the Organization?s premises is not known; however, the company believes that the former employee misappropriated the information prior to …
P2018-ND-074

Snap-on Incorporated

In early April, a third-party security provider alerted the Organization to suspicious activity involving potential unauthorized access to customer information. The Organization investigated and determined that between March 25 – 26, 2018 an unauthorized third-party accessed and acquired the full names, email addresses, and salted and hashed passwords of certain registered users within a database accessible through one of the Organization?s public online stores, buy1.snapon.com. Other personal information in the database was encrypted and there …
P2018-ND-073

Newcom Business Media Inc.

On May 28, 2018 the Organization became aware of an unauthorized access to the email account of the Chief Financial Officer (CFO). It does not appear that any files of the Company were accessed and the unauthorized access is limited to strictly email communications. The email account contained email communication from approximately April 23, 2017 to early June 2018. The cause of the unlawful access appears to have originated through a phishing scheme. The incident …
P2018-ND-072

Ivari Canada ULC

On June 9, 2018, the Organization discovered a term life insurance contract was missing. The contract had been in an advisor?s vehicle, which was stolen.
P2018-ND-071

Canadian Blood Services

On April 27, 2018, the Organization?s former records storage service provider in Calgary confirmed that two boxes containing paper records of donation could not be located in its facility. The boxes were identified as missing during a records verification process undertaken in May 2017 after the storage service provider sold certain of its holdings to another company. After identifying the missing boxes, the Organization notified both the storage service provider and the new company. The …
P2018-ND-070

Investia Financial Services Inc.

On April 19, 2018, the Organization was made aware that the email address used by an employee of two mutual fund representatives was compromised by malware and emails exchanged with 22 individuals (18 client accounts) were redirected to two unknown email addresses. The representatives discovered the incident on April 6, 2018 when an owner of the company was informed that an employee was not receiving emails on her desktop and on her Office 365 account. …
P2018-ND-069

Servus Credit Union Ltd.

Between November 27, 2017 and March 28, 2018, the Organization discovered instances whereby ?fraudulent impersonators have been successfully able to take over the accounts of?members. These accounts were taken over because online access was granted over the phone via poor authentication practices by several Member Contact Centre Agents contrary to posted policy?. ln all instances, members suffered a financial loss.
P2018-ND-068

Best Buy Canada Limited

On February 8, 2018, the Organization was informed by one of its delivery subcontractors in Alberta that on February 5, 2018, some documents related to customer orders were missing from the office. The sub-contractor believes the documents might have been stolen by a former employee on or around January 31, 2018.
P2018-ND-067

Dr. Carley Christianson, Christianson Counselling

On October 23, 2017, an employee of the Organization sent an email with two attachments that included personal and identifying information to the wrong email address. The employee meant to email the message to herself, and when the email was not received, it was noticed that the message was sent to a mis-typed email address. The Organization said it was unclear who the unintended recipient is, and is not sure if there was a recipient …
P2018-ND-066

Interstate Plastics, Inc.

On or around July 24, 2017, the Organization identified suspicious code on its e-commerce website and determined it was a sophisticated cyber-attack. The Organization removed the code and began investigating with the assistance of third-party forensic investigators. Additional malicious code was identified on August 25, 2017. The code was capable of collecting payment information entered into the website?s customer check out page by customers. The Organization determined that that this incident may impact payment cards …
P2018-ND-065

Carbon Environmental Boutique Ltd.

On May 5, 2017, the Organization learned that its website hosting server was compromised. The incident was investigated by the Organization?s website and hosting provider, Pixel Army. The investigation found evidence that credit card information was compromised (skimmed in real time). The website was compromised between October 20, 2016 and May 5, 2017.
P2018-ND-064

Tommie Copper Inc.

On or around August 11, 2017, the Organization was advised that it had been identified as a common point of purchase for potential credit care fraud. The Organization?s forensic investigator determined that malware had been inserted into the Organization?s website that collected certain payment information used at the checkout. The Organization discovered that payment card information used by customers at its website was subject to unauthorized access from April 25, 2017 through August 29, 2017.
P2018-ND-063

PLAE Inc.

On May 10, 2018, the Organization discovered a cyber-attack on its PLAE.CO website that may have affected customers who placed online orders between March 15, 2018 and May 11, 2018. The incident ?was identified by orders failing for credit cards.?
P2018-ND-062

Gentle Giant Studios, Inc. d/b/a Gentle Giant Ltd.

In August 2017, in response to customer reports of fraudulent activity on their credit/debit cards, the Organization conducted an investigation of its e-commerce website. The investigation revealed that an unauthorized JavaScript link had been introduced to the ?footer? of the website. The link was designed by an unauthorized third party to harvest data submitted via a web form and exfiltrate the data to the unauthorized third party. The Organization determined that between April 24, 2017 …
P2018-ND-061

Four Seasons Hotels Limited

On December 15, 2017, the Organization was notified by its third party reservation service provider, Sabre Hospitality Solutions, that an unauthorized party gained access to view certain reservation information on October 21, 2017. The service provider informed the Organization that it uses encryption on payment card data; however, the compromised credential had the right to decrypt card data. The service provider informed the Organization reported that the incident did not affect every reservation contained in …
P2018-ND-060

Primerica Financial Services (Canada) Ltd.

On January 15, 2018, a pop-up notification appeared on the computer screen of a representative of the Organization, stating a virus was detected on the computer. The notification instructed the representative to call ?Microsoft? to remove it from the system. The representative called the number and spoke to an individual who identified himself as a ?Microsoft employee?. The individual offered a service to remove and protect against malicious software. The representative gave the individual her …
P2018-ND-059

Meridian Credit Union

On November 14, 2017, the Organization learned that an unauthorized individual accessed personal information of members and employees who entered various types of personal information into certain forms on the Organization?s public website (e.g. Contact forms, Contest Entry forms, Registration forms). The Organization?s public website is separate from the Organization?s online banking platform. The information on the public website was kept on a different platform. The Organization determined that the unauthorized third party accessed the …
P2018-ND-058

The Driving Force Inc., TDF Group Inc., Driving Force Investments Inc., 4505 Nunavut limited, Klondike Motors Inc., DF Western Inc. and The Driving Force Ltd.

On February 12, 2018, the Organization discovered an unauthorized forwarding rule attached to the Outlook mailbox of its President, such that incoming email messages to said mailbox were also being forwarded to an unauthorized third-party Gmail account. Based on the data and information currently available, the unauthorized forwarding rule had been in place since at least November 15, 2017. The Organization has ruled out malware, and believes the incident may be the result of a …
P2018-ND-057

Red Deer Therapy

On or about January 13, 2017, the Organization was subject to a break and enter and robbery. The office door showed signs of a forced entry. One filing cabinet was broken into and another filing cabinet was tampered with but not accessed. The bottom drawer of the filing cabinet that was broken into was pulled out and rummaged through. The top drawer of the filing cabinet that was broken into contained active client paper files, …
P2018-ND-056

Grant Thornton Limited, acting as court-appointed Receiver for Western Precast Group Ltd.

The Organization prepared Wage Earner Protection Program Act (WEPPA) packages to be sent to former employees of Western Precast Group Ltd. Each package was to contain two documents: a letter regarding the WEPPA program and a personalized schedule which included the information at issue.? The schedules were prepared at a centralized processing centre. An employee of the Organization was unaware that the schedules were personalized for each former employee and incorrectly assembled the packages without …
P2018-ND-055

Lake Kennedy McCulloch CPAs

On February 11, 2017, the Organization identified a potential data security incident and hired a forensic investigation firm. The firm discovered that the Organization?s information system was hacked on January 30, 2017. The perpetrator(s) acquired 2015 tax return information for a number of the Organization?s clients. In a small percentage of cases, the information was used to fraudulently file 2016 returns for the purpose of obtaining tax refunds.
P2018-ND-054

Municipal Media Inc.

In December 2017, the Organization uploaded a list created from its subscriber data to an industry platform called MailChimp, intending to inform subscribers about information available through digital assistants. On April 16, 2018, the email account of an employee of the Organization was hacked and the perpetrator accessed the MailChimp account, stealing approximately 55,000 email addresses. The Organization discovered the incident on April 17, 2018 after receiving a notification from MailChimp advising that the export …
P2018-ND-053

Investors Group

During the afternoon of April 8, 2018, a vehicle belonging to one of the Organization?s financial advisors was broken into. A brief case containing a laptop computer and 5 client files was stolen. The incident was discovered on April 9, 2018. The laptop was encrypted and had strong password protection. The Organization did not report recovering the client files.
P2018-ND-052

Fareportal Inc.

On or about March 17, 2018, through security monitoring systems, the Organization discovered that between approximately January 1, 2018 and March 20, 2018, a now-former employee located in India was involved in diverting airline booking commissions from cheapoair.com, a branded website of the Organization. The ex-employee uploaded booking data (including personal data) from the Organization?s system into the accounts of certain web portals, such as a job board, which were potentially accessible by actors outside …
P2018-ND-051

Financial Literacy Counsel Inc.

Between March 26, 2018, and April 6, 2018, inbound emails sent to an employee of the Organization were forwarded to unknown email addresses. The Organization discovered the incident on April 6, 2018, when the employee noticed she was not receiving emails on her desktop or Office 365 account. The Organization investigated, and found malware on the computer’s Google Chrome browser, which was removed by an external IT company on April 10, 2018. The cause of …
P2018-ND-050

Ledcor Construction Limited

On February 28, 2018 T4 forms were provided to 44 employees/ex-employees. Inadvertently, the recipients received their own T4, as well as information about another employee/ex-employee. The error was the result of the Organization providing an incorrect file to its third party provider, who was responsible for distributing the T4 forms. The mistake was not picked up by the third-party provider. The incident was discovered on March 6, 2018 when employees who received the incorrect T4s …
P2018-ND-049

Avenue Living (2014) LP

On February 7, 2018, the Organization sent a batch of annual statements by mail to customers. The statements contained information about the customers? life insurance product(s). On February 12, 2018, the Organization learned that some of the statements were inadvertently sent to the wrong customers as the result of an error in a mail inserting machine. The Organization learned of the incident on February 12, 2018 when a customer called to report receiving another customer?s …
P2018-ND-048

Foresters Financial, a trademark of The Independent Order of Foresters and its subsidiaries

On January 23, 2018, internal mail intended for a branch office employee was inadvertently sent to an unauthorized recipient. The Organization reported that ?This mail was in a brown window envelope box and contained personal information of an individual involved in a claim with [the Organization]. This was caused by human error whereby the complete address was not indicated on mail which left [the Organization?s] office.? The mail was placed in a courier bag, picked …
P2018-ND-047

Peace Hills General Insurance Company

Unauthorized intrusion. At the time of its report of the breach, the Organization had ?recently identified on certain of its systems malware designed to collect customers’ payment card information?. The Organization investigated and found that ??the malware appears to have been placed on the company’s systems on or around May 15, 2017. Customers who made a purchase on [the Organization?s] online store or by phone with the company’s customer service center between May 15, 2017 …
P2018-ND-046

Bronson Nutritionals LLC

The Organization?s in camera Finance Committee minutes were inadvertently uploaded on the Organization?s internal website where members could view them. The minutes revealed the information at issue. The minutes were posted between September and October 2017. The incident was discovered on December 22, 2017 when the Organization?s property manager was reviewing the website.
P2018-ND-045

Keegano Housing Cooperative Ltd.

On February 25, 2018, the Organization learned of a potential data security incident involving the unauthorized installation of malware on its ecommerce web platform.The incident potentially exposed information provided by customers who made online purchases between February 22, 2017 and March 5, 2018.
P2018-ND-044

Manduka, LLC

On January 25, 2018, the Organization was notified by its third party reservation service provider, Sabre/SynXis, that an unauthorized party gained access to user credentials that enabled the party to view certain reservation information between June of 2016 and November of 2017. The service provider advised that the information in these reservations that was accessed may have included certain payment card data belonging to certain individuals who provided card details when making reservations at some …
P2018-ND-043

Preferred Hotels & Resorts

On January 11, 2018, customers of the Organization reported experiencing suspected credit card fraud and believed that their purchases from OnePlus.net were potentially related to the fraudulent credit card activity. The Organization investigated, and found that an unknown attacker had injected a malicious script into the payment processing page of the Organization?s website. The malicious script intermittently captured credit card information entered by customers on the payment page during the period between November 21, 2017 …
P2018-ND-042

OnePlus Technology Co., Ltd.

On November 6, 2017, an employee of the Organization sent a fax to an incorrect number. When the Organization did not receive a response to the fax request, the fax was re-sent on November 30, 2017, to the same incorrect number. The error was discovered on January 31, 2018, when the individual who received the fax reported the error to the Organization, advising that he had called the branch after he received the fax the …
P2018-ND-041

Christian Credit Union Ltd.

Inadvertent disclosure. The Organization uses a third party service provider for payroll administration purposes. On February 27, 2015 the service provider mailed T4 slips to 157 employees of the Organization in Canada. On March 2, 2015, two employees contacted the Organization after receiving T4 slips that did not belong to them. The Organization learned that a computer system error at its service provider caused some of the T4 slips to be mailed to wrong employees. …
P2018-ND-040

Allegion Canada Inc.

The Organization uses a service provider, Pixel Army, to provide e-commerce services enabling the Organization?s members/customers to order courses, materials and services using an internet website. On May 9, 2017, the Organization learned that an unknown third party, without authorization, accessed the server-end of the Organization?s e-commerce website. The Organization reported ?It appears that the incident involved an unauthorized ability to access AHSA’s website’s underlying data for a period of time??. The Organization reported that …
P2018-ND-039

Alberta Hospitality Safety Association

On August 19, 2016, an employee with the Organization sent an email to forty-nine (49) new employees regarding an upcoming training session. On August 26, 2016, the Organization received a report that a zip file attached to the email contained the personal information of sixty-four (64) other employees of the Organization. The employee who sent the email was unaware of the contents of the attachment. The personal information in the file was not properly secured …
P2018-ND-038

Aramark Entertainment Services (Canada) Inc., a subsidiary of Aramark Canada Ltd.

On February 1, 2018, the Organization became aware of an incident involving the loss of personal information of a number of its employees and some of their dependents and pension partners. The loss occurred between January 26 and February 1, 2018. On January 26, 2018, a staff member sent a USB key via regular mail to an address in Vancouver. The USB key was not encrypted or otherwise protected. The intended recipient reported to the …
P2018-ND-036

CWC Energy Services Corp.

On or about August 29, 2017, a courier package containing the Organization?s documents was stolen from the courier?s depot. The incident was discovered after an individual phoned the Organization and advised he saw several loose documents belonging to the Organization blowing in the wind near the courier depot. The Organization immediately sent an employee to the area to retrieve the records.The employee did a thorough search of the area but only found a few administrative …
P2018-ND-035

Apple Inc.

On November 15, 2017, an employee with the Organization?s service provider attempted to misuse the personal information of an Alberta resident, who is a customer of the Organization.The service provider?s employee in question attempted to make an unauthorized purchase using the customer?s credit card information. The Organization identified the fraudulent activity and canceled the order.
P2018-ND-034

Aesop Canada Inc.

At the end of July 2017, one of the Organization?s credit card issuers notified the Organization that it had noticed patterns of fraudulent transactions on credit cards that were used to purchase items from the Organization?s website. At the end of August 2017, the Organization discovered a web-form on its site that collected customer contact data and credit card numbers was altered to also send details to a third-party address. The skimming of this information …
P2018-ND-033

LiveGlam, Inc.

The Organization recently discovered that its website was subject to an attack that begun in April 25, 2017. On December 11, 2017, the Organization confirmed that an unauthorized individual may have gained access to a section of the Organization?s online store that processes customer orders.
P2018-ND-032

W.W. Grainger Inc.

On August 23, 2017, a laptop was stolen from a vehicle belonging to an employee of the Organization. The same day, the incident was reported to the police and to the Organization.The laptop was password protected and had remote wipe capability. On August 24 and 25, 2017, the Organization analyzed the files on the computer using system backups and identified the personal employee information on the laptop.
P2018-ND-031

Goldec Hamm’s Manufacturing Ltd.

During the weekend of August 19-20, 2017, a building at the back of the Organization?s property was broken into and paperwork was stolen. The RCMP contacted the Organization on August 21, 2017 and reported they had found paperwork with the Organization?s name on it. The lot was secured and fenced and a third party security company does checks at night and over the weekend. There is a separate room inside the building for archived paperwork …
P2018-ND-030

Uber B.V.

On November 14, 2016, ?Uber was contacted by an individual who claimed he had accessed Uber user information.? The DPA report stated that ?Uber investigated and determined that the individual and the other person working with him had obtained access to a private Uber developer page?. Using credentials located there, the unauthorized actor was able to access and download certain archived driver and rider data stored in a cloud-based server. The incident did not breach …
P2018-ND-029

D+H Limited Partnership

Unauthorized intrusion. On February 17, 2015, an individual contacted the Organization to ask why there was an inquiry from CreditDefend that appeared on the individual?s credit report. The Organization investigated and determined that a CreditDefend account had been opened in the individual?s name by an unauthorized individual, but safeguards prevented access to the requested credit report through CreditDefend. The investigation also revealed ??that 39 individuals, across Canada, may have been affected? and ?Four (4) of …
P2018-ND-028

Four Seasons Hotels Limited

On June 6, 2017, the Organization was notified by its service provider, Sabre Hospitality Solutions, that an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some hotel reservations processed through the service provider?s Central Reservations System (“CRS”). The unauthorized party was able to access payment card information for some hotel reservations at affected properties. The service provider?s investigation found that the unauthorized party first …
P2018-ND-027

Canadian Tire Corporation Limited

The Organization previously reported that, in January 2017, routine monitoring of the Organization?s security system identified unusual log-in activity on the website Canadiantire.ca. The Organization?s investigation indicated that an unknown third party obtained customers’ login information (email address and password) for a number of loyalty member accounts from an external source. The cyberattack occurred on January 5 and 6, 2017. However, ongoing monitoring found that attacks of a similar nature occurred at intervals between January …
P2018-ND-026

London Drugs Ltd.

On January 12, 2018, just before store closing, a customer’s laptop computer, which was being serviced by technicians, was stolen from a non-public (employee only) tech room, while the room was temporarily vacant. The incident was discovered the same day when an employee noticed the laptop was missing. In-store video footage confirms the laptop was stolen by another customer.
P2018-ND-025

Pentair Aquatic Eco Systems, Inc.

On January 2, 2018, the Organization identified unauthorized computer code added to the checkout page of its online store at https://pentairaes.com. The Organization investigated and found that the code may have been present and capable of capturing information entered during the checkout process from December 19, 2017 to January 2, 2018. The incident was discovered on January 2, 2018 during a routine scan.
P2018-ND-024

CIBC Wood Gundy

On December 8, 2017, the Organization reissued amended T5008 tax slips for the 2016 tax year. The original addresses on the 2016 tax file mailing were used and updated addresses were not obtained. As a result, clients who moved during that period were mailed tax slips to their former addresses. Between December 19-22, 2017, the Organization was contacted by three clients advising that they received their amended tax slip addressed to their former home address. …
P2018-ND-023

Primerica Financial Services (Canada) Ltd.

On January 11, 2018, a representative of the Organization met with a client to discuss investment opportunities. The representative received a cheque and an investment application from the client The documents were in the representative?s bag. That evening, someone broke into the representative’s garage and vehicle. Among the items stolen was the bag where all the documents were kept. The incident was discovered on January 12, 2018 when the representative noticed the garage door was …
P2018-ND-022

Vari Tech Systems Inc.

The Organization provides services and web-based software for childcare centres, organizations and agencies across Canada. On May 4, 2017, the Organization received a telephone call from a childcare centre in Manitoba indicating that a third party, while searching on the internet for a telephone number, was able to gain access to a report (a PDF file) containing the personal information of a child from that centre. The Organization investigated and found the breach was caused …
P2018-ND-021

FastHealth Corporation

On December 21, 2016, the Organization identified suspicious code on a server, began an investigation and hired a computer security firm to assist. On January 24, 2017, it was determined that an unauthorized third party altered code on the Organization?s web server designed to capture payment card information as it was being entered on the online bill-pay platform from January 14, 2016 to December 20, 2016.
P2018-ND-020

Holloway Lodging Corporation

Early on December 11, 2017, a storage area at the Organization?s Super 8 hotel in Fort St. John, BC was broken into. Boxes containing records for guests who stayed at the hotel during the months of January, May – August, November and December 2015 were stolen. The Organization learned of the incident the same day. An individual has been apprehended by the police in connection with the theft. Some of the records have been recovered …
P2018-ND-019

Imperial Oil Limited

On April 10, 2017, the Organization learned that its loyalty program website, which is hosted by a vendor, was attacked by an unknown third party using IDs and passwords. he attack attempted to login and access customer loyalty accounts. The attack was discovered by the Organization?s vendor as part of normal alerting on website traffic. The Organization investigated and believes that usernames and passwords may have been available to the unauthorized third party through illicit …
P2018-ND-018

College and Association of Registered Nurses of Alberta

A package of documents containing the personal information at issue was couriered to the Organization on July 3, 2015. The Organization was expecting the package but was only able to confirm with the sender on July 28, 2015 that it had been sent. At the same time, the sender provided the courier tracking number. The Organization is unable to locate the package of records. Courier service records indicate that the package was delivered to the …
P2018-ND-017

Co-operative Superannuation Society

Sometime between October 5 and 6, 2016, a rental vehicle was broken into and two cardboard boxes containing paper forms with various levels of personal information were stolen as well as microphone equipment. The incident was discovered on October 6, 2016 when the rear hatch of the vehicle was opened and it was noticed that items were missing. The boxes were recovered later that same morning. The Organization reported that ?Upon examining the boxes, the …
P2018-ND-016

H & R Block Canada, Inc.

In February 2017, an employee of the Organization gave a tax summary to a client and inadvertently included another client?s tax summary. The Organization discovered the error on April 24, 2017 when the unintended recipient visited the Organization?s office and returned the documents.
P2018-ND-015

Rosewood Hotel Group

In late December 2017, the Organization was notified by its third party service provider, Sabre Hospitality Solutions, that between May 29, 2016 and January 11, 2017, an unauthorized party had gained access to the Organization?s guest reservation information that was maintained on Sabre’s systems. The Organization was informed that the unauthorized party gained access by obtaining account credentials from Sabre without authorization.
P2018-ND-014

Stewart & Stevenson Canada Inc.

In 2009, thirty-eight (38) employees were terminated from the Organization and their employee files placed in an envelope, boxed-up and moved to long term storage in the basement of the Organization?s facility. In the fall of 2015, as part of a routine purge of documents that had exceeded their retention period, confidential documents were sent offsite for third party shredding and non-confidential documents were sent for third party recycling. On February 13, 2017, the Organization …
P2018-ND-013

BC Investment Management Corp.

On November 9, 2017, between 7:30 pm and 9:45 pm., an employee of the Organization discovered that his personal vehicle had been broken into while it was parked in downtown Vancouver, British Columbia. A work-issued portable electronic device was stolen. The device was password protected by not encrypted. The incident was discovered on November 9, 2017. To date the device has not been recovered. The Organization reported ?no evidence exists to suggest that the information …
P2018-ND-012

Joyent, Inc.

The Organization provides cloud-hosting services for businesses and individual users. The Organization recently learned that on December 4, 2014, an unauthorized party obtained certain data maintained on the Organization?s user management database. The relevant system is a backend database used by the Organization to manage information pertaining to user accounts.
P2018-ND-011

Field LLP

On April 18, 2017, the Organization learned that two binders of materials relating to a law suit fell out of the trunk of an employee?s vehicle while in transport. The Organization believes the materials fell out of the trunk on or about April 16, 2017. The Organization was not aware this had occurred until contacted by the opposing legal counsel who reported that hard copy records of his client (the affected individual) had been located …
P2018-ND-010

Combat Brands LLC

On April 14, 2017, the Organization reported an incident involving unauthorized access to information systems to the Office of the Information and Privacy Commissioner. Breach notification decision P2017-ND-65 was issued on May 25, 2017. At the time, the Organization believed all malware operating on its websites had been identified and removed. On October 16, 2017, while running routine scans, the Organization again identified unusual code running on its websites. The Organization retained a new third-party …
P2018-ND-009

YWCA Calgary

On September 14, 2017, papers containing the personal information at issue were inadvertently put in one of the Organization?s general recycling bins, rather than the secured recycling bin. This is contrary to the Organization?s standard secure disposal procedure. Late in the evening of the same day, housekeeping staff disposed of the papers from the general recycling bin in an exterior, unsecured recycling dumpster. Early in the morning of September 15, 2017, an employee arriving at …
P2018-ND-008

Servus Credit Union Ltd.

A personal financial statement containing the information at issue for one of the Organization?s members and his current partner was obtained by the member’s estranged spouse. The estranged spouse is also a member of the Organization. The Organization investigated and confirmed that a breach did occur. However, the Organization is unable to determine how or when the information was breached. The incident was discovered on December 22, 2015 by the member and his partner when …
P2018-ND-007

The Ortona Gymnastics Club

On May 4, 2017, the Organization?s website hosting service provider, Pixel Army, discovered malicious code on its server. The service provider engaged a third party to investigate. The Organization reported ?Our website hosting server was compromised at the root level which resulted in the possibility of personal information being compromised.?
P2018-ND-006

Klohn Crippen Berger Ltd. and Pure Canadian Gaming Corp. as reported by Think Relocation Consulting (service provider to the organizations)

Home break-in and theft of laptop. On December 22, 2015, the home of the Organizations? service provider (Think Relocation) was broken into and a laptop was stolen. The information at issue was stored on the laptop, which was password protected but not encrypted. The service provider reported there is no evidence indicating that the security of the laptop password has been compromised. The laptop has not been connected to the internet since the incident to …
P2018-ND-005

Independent Counselling Enterprises Inc.

The Organization reported that an employee accessed confidential wage information of 4 management employees. The employee allegedly obtained unauthorized access to the information using a password provided to him by another employee. The Organization?s IT contractor reviewed the computers of the two employees allegedly involved. A search of the first employee?s computer confirmed he had attempted to access several computer files including financial files. No evidence was found that the financial files were opened or …
P2018-ND-004

Keegan Holdings Ltd. D/B/A Bath Fitter

On March 24, 2017, the Organization contacted a client to request he submit a Financial Deferred Payment Application, and the client informed the Organization he had personally delivered the application, as well as a void cheque, to the Organization?s office on March 6, 2017. The Organization confirmed it received the documents on March 6, 2017, but, after searching, was unable to find them. The Organization surmised that the application and cheque were placed in the …
P2018-ND-003

Royal Glenora Club

On March 23, 2017, a deposit report containing the personal information at issue for 15 of the Organization?s employees was inadvertently attached to earnings statements that were emailed to all other employees. The Organization investigated and found the error was caused by a programming problem. The incident was discovered the same day.
P2018-ND-002

Juvenile Diabetes Research Foundation

On August 1, 2017, and again on August 17, 2017, an intruder accessed the Organization?s human resources data base using misappropriated administrator credentials. The accesses lasted for 1 and 35 minutes each, respectively. The database contains approximately 300 records of current and former employees. A human resources employee discovered the unauthorized accesses on August 21, 2017. The Organization?s access logs indicate the intruder made several changes to the database information, including to vacation requests, user …
P2018-ND-001

Pasquini & Associates Consulting Ltd.

On or about April 14, 2017, the Organization?s office was broken into and a laptop and tablet were stolen. The laptop may have contained the personal information of some of the Organization?s employees.On or about April 16, 2017, the Organization?s office was again broken into and 6 more laptops/tablets were stolen. These devices may have contained personal information of the individual assigned the laptop/tablet by the Organization. The laptops and tablets were password protected but …
P2017-ND-167

Emerald Management & Realty Ltd.

The Organization reported that on or about November 2, 2016, Calgary Police Services (CPS) informed the Organization that it was conducting a criminal investigation concerning the fraudulent use of personal information to apply for credit cards and there was a possible connection to approximately 40 individuals through a relationship with the Organization. The Organization confirmed to the CPS that approximately 30 of the persons identified by the CPS were tenants of the Organization. On November …
P2017-ND-166

Sun Life Assurance Company of Canada

On October 30, 2017, an individual located in Africa gained unauthorized access to the email account of the Organization?s Co-CEO. Forensic analysis of the email account showed that the individual accessed the email account three separate times on the morning of October 30, 2017. The purpose of the unauthorized access was to plant an email chain which included fake correspondence and a request for a wire transfer of funds to a bank in Hong Kong. …
P2017-ND-165

CBI Home Health (AB) Limited Partnership

On January 5, 2017, routine monitoring of the Organization?s security system identified unusual log-in activity on the website Canadiantire.ca. The data breach was discovered on January 7, 2017 as logs were reviewed to determine whether the attack had resulted in any inappropriate access. The Organization?s investigation indicated that an unknown third party obtained customers’ login information (email address and password) for a number of loyalty member accounts from an external source which is believed to …
P2017-ND-164

Farrel Greenspan Psychology

The Organization received a report from the U.S. Secret Service that an unauthorized third-party may have obtained payment card data from the Organization?s e-commerce website, www.jampaper.com. The Organization retained a cybersecurity firm to investigate. On November 17, 2017, with the assistance of the cybersecurity firm, the Organization determined that if a customer placed an order on its website from June 15, 2016 to November 6, 2017, information associated with the order being placed may have …
P2017-ND-163

Academy of Nutrition and Dietetics

On November 3, 2017, the Organization was alerted to a potential security incident affecting its website and online store at www.AmazingGrass.com. The Organization engaged an independent forensic firm to assist in its investigation of this matter. Based on the investigation, the Organization believes that malicious software designed to capture payment card data was installed by an unauthorized individual on portions of the website. Information entered by certain customers when making purchases on the website between …
P2017-ND-162

Noble House Hotels and Resorts

The Organization previously notified customers that an unknown third party compromised the Organization?s e-commerce website and may have been able to access customer payment card information during the period from October 26, 2016 to May 30, 2017 and August 28, 2017 through September 5, 2017. The previous notifications were based on findings from security firms and a report from a Payment Card Forensic Investigator (“PFI”) engaged by the Organization. In mid-October 2017, the investigation found …
P2017-ND-161

Kids Uncomplicated Ltd.

The Organization reported that a form on its previous website was hacked, allowing for a list of potential customer/client names, email addresses, and telephone numbers to be leaked and posted on another website (Pastebin). The Organization believes the incident occurred in December 2016. The incident was discovered on February 22, 2017, when the Organization received an email from a customer stating that the customer?s personal information had been posted to Pastebin. The Organization discovered that …
P2017-ND-160

Progressive Academy Education Society

On September 7, 2017, the Organization discovered signs indicating attempts were made to gain access to one of their web servers. The incident was discovered after the Organization?s database administration team discovered a high number of failed SQL login attempts. The Organization?s IT Security team investigated these reports and identified signs of unauthorized access to a database server. Findings from the investigation determined that an unauthorized individual may have gained access to the server and …
P2017-ND-159

National Money Mart Company

On August 9, 2017, the Organization was notified that its online store, which is hosted and maintained by a vendor, may have been compromised. The Organization immediately hired an independent computer forensics firm to assist with investigating the incident. On September 8, 2017, the forensic investigator determined that transaction information for purchases made from January 2, 2017 until August 9, 2017 may have been obtained by unauthorized individuals.
P2017-ND-158

Mountain View Credit Union Limited

On June 6, 2017, the Organization was notified by its service provider that an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some hotel reservations processed through the service provider?s Central Reservations System (“CRS”). The unauthorized party was able to access payment card information for some hotel reservations at affected properties. The service provider?s investigation found that the unauthorized party first obtained access to …
P2017-ND-157

Servus Credit Union

In January 2017, several franchisees were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at franchise locations. The franchisees reported this information to Intercontinental Hotels Group Company (IHG). IHG coordinated an examination of the payment card processing systems of franchise hotel locations in the Americas. The investigation found signs of the operation of malware designed to access payment card data from cards used …
P2017-ND-156

Dorward & Company LLP Chartered Accountants

Until July 2016, the Organization used a third-party vendor?s external system for secure storage services.In late July 2016, the Organization noticed suspicious activity in the system and commenced an investigation. The investigation found that a ?malicious computer intrusion had been mounted against the vendor?s system, involving exposure of data that had been placed in files in the storage solution?? and ?A small percentage of these files contained personal data.? The Organization reported it believes the …
P2017-ND-155

The Legal Aid Society of Alberta

On September 6, 2017, the Organization was notified by its third party service provider, Sabre Hospitality Solutions, that an unauthorized party gained access to account credentials that permitted unauthorized access to unencrypted payment card information, as well as certain reservation information, for a subset of hotel reservations processed through Sabre’s CRS.The information was accessed between August 10, 2016 and March 9, 2017.
P2017-ND-154

Bulletproof 360, Inc.

On October 13, 2017, an employee of the Organization mistakenly emailed an account opening application to the wrong client. The Organization discovered the incident on October 14, 2017 when the unintended recipient reported the error.
P2017-ND-153

Hilton Worldwide Inc.

The information at issue makes up a spreadsheet listing of vehicles that have been tracked as being exported to China, along with the vehicle?s VIN number, and information about the individuals who initially purchased the vehicles in Canada. The Organization reported ?The list outlined ? vehicles which had been tracked as being exported to China illegally?. On or around March 27-31, 2017, a sales person with the Organization provided the list to a customer whose …
P2017-ND-152

Hilton Worldwide Inc.

On March 17, 2017, an employee with the Organization emailed an Excel spreadsheet containing employee payroll information from his/her corporate email account to his/her own personal email account. The employee had earlier been informed that, due to a workplace reorganization, he/she would be subject to a lay off, with employment ending in April 2017. The Organization discovered the incident on April 10, 2017 when a manager reviewed the now former employee?s email account for any …
P2017-ND-151

Project Management Institute

On April 11, 2017, an employee with the Organization sent an email to a client and inadvertently included disability claim documentation related to another client. The unintended recipient called the Organization the same day to report the error. The Organization requested that the unintended recipient delete the email and documentation. The Organization received verbal confirmation that the email and documentation was deleted. The affected individual and the unintended recipient work for the same employer.
P2017-ND-150

Society for Industrial and Applied Mathematics

On July 7 or 8, 2017, a vehicle belonging to an advisor with the Organization was stolen. Two life insurance contracts were in the stolen vehicle at the time of the theft. The Organization discovered the incident on July 8, 2017.
P2017-ND-149

Water Environment Federation

On April 10, 2017, the Organization learned that a cyber intruder accessed an employee?s email account. The email account contained documents with portions of personal information. The Organization is unable to confirm that the information was in fact stolen. The incident occurred between April 8, 2017 and April 10, 2017.
P2017-ND-148

Rifco National Finance Corporation

On August 25, 2017, the Organization was notified by its service provider, Aptos, that an unauthorized third party accessed payment card information of 26 residents of Alberta stored on Aptos’ systems. The service provider reported that the security incident lasted from July 21, 2017 to August 9, 2017.
P2017-ND-147

FPInnovations

Around April 10, 2017, the Organization set up temporary remote access capability to allow an employee to remotely access his/her computer while the normal VPN equipment was repaired. On April 18, 2017, the employee noticed a strange User ID accessing the computer. The Organization investigated, closed the breach, and then determined that only the data physically stored on the affected computer was accessible during the course of the breach. The Organization reported that most of …
P2017-ND-146

Specialty Equipment Market Association

On March 10, 2017, the Organization was notified by its Group Retirement Services department of a human error which resulted in tax receipts and/or termination disclosure packages being mailed to the incorrect recipients. The incident occurred on February 17, 2017, and was the result of an error made while manually copying data from an Excel file provided by a client into the Organization?s internal processing systems. The Organization was made aware of the error when …
P2017-ND-145

Trailer Wizards Ltd.

Between August 14, 2017 and August 19, 2017, the Organization mailed a number of client statements to the wrong clients. The incident was reported to the Organization on August 18, 2017 by a client who received his own statement, along with that of another client. The Organization investigated and found the error resulted from a data mis-match during the third-party vendor statement production process.
P2017-ND-144

ABOE Lockworks Ltd.

The Organization initiated an investigation when it was notified by the Secret Service about possible fraudulent activity on the payment card system at one of the Organization?s properties. The Organization discovered that malware may have been installed on payment processing systems that potentially affected payment cards of individuals that were swiped at some of its hotels, restaurants and bars between April 25, 2016 and August 5, 2016.
P2017-ND-143

Silver Bridge Funding, Inc., operating as Universal Business Team

On April 28, 2017, a client was mistakenly given a printed tax return of another client. The unintended recipient checked the documents and discovered that it was not their tax return and reported it to the Organization as soon as the breach was known. The unintended recipient mailed the documents to the intended recipient.
P2017-ND-142

KURU Footwear

The Organization manages a number of hotel properties. On June 6, 2017, the Organization was notified by its service provider that an unauthorized party obtained access to account credentials that permitted unauthorized access to unencrypted payment card information as well as certain reservation information for a subset of hotel reservations processed through the service provider?s central reservation system (?CRS?). The incident was discovered by the service provider on or about March 10, 2017. Access to …
P2017-ND-141

Char-Broil, LLC

On July 7, 2017, the Organization identified suspicious activity on one of its corporate servers. The Organization investigated and determined that there was unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain of the Organization?s managed and franchised locations between March 18, 2017 and July 2, 2017.
P2017-ND-140

Fluent Home Ltd.

On September 13, 2017, an email containing the personal information at issue was sent to an incorrect party having the same name as the subject of the information. The unintended recipient and the affected individual are employees within the same company. The incident was discovered the same day when the unintended recipient of the information reported receiving the email in error.
P2017-ND-139

WP Technology Inc.

Between August 22-23, 2017, the Organization detected what it believes to have been a brute force/ dictionary intrusion by an unauthorized third party against the Organization?s application program interface of Avis Preferred (a rental mobile application that allows customer to create user accounts that, among other features, allows customers to book rentals). As a result of this event, the Organization believes that an unauthorized third party may have been able to access the information at …
P2017-ND-138

Southern Michigan Bank & Trust

On about March 2, 2017, the Organization was coordinating the distribution of employees? T4 tax slips by mail. Due to an administrative error, an employee with the Organization inadvertently mailed employees the Organization?s copy of the T4 slips, which included T4 information about multiple (two) employees on each page. The Organization became aware of the error on or around March 10, 2017 when several staff starting coming forward to report receiving two separate slips in …
P2017-ND-137

RM Acquisition, LLC d/b/a Rand McNally

On March 4, 2017, a donor with the Organization submitted a request to the Organization?s National Contact Center for a change to her ethnicity and gender. When forwarding the request by email to an internal department for response, an employee with the Organization mistakenly included an additional external email address in the addressee field. The unintended recipient notified the Organization of the error on March 9, 2017. The Organization contacted the unintended recipient and asked …
P2017-ND-136

IHS Markit

Sometime between September 2016 and early March 2017, hackers obtained unauthorized access through the Coachella.com website to certain databases connected to it (including data collected at the Coachella festival, Stagecoach festival and the Coachella.com website forum). On February 21, 2017, the Organization discovered the incident when the attackers sent an email demanding ransom for the information.
P2017-ND-135

Distinct Infrastructure Group Inc., payroll services provider to Pillar Contracting Ltd.

The Organization reported that on or around February 2 – 6, 2017, a caller telephoned an employee?s work telephone number and was advised that the employee was “out on a stress leave”. The Organization was made aware of the incident on February 7, 2017 when the affected employee reported receiving a call from a colleague in the community relaying the incident.
P2017-ND-134

Alore in Sunset Ridge Condominium Corporation 081451990

On March 3, 2017, a client filled out a drop off form and provided documents to a local branch office of the Organization. There were multiple tax folders on the reception desk and the employee at the local branch office does not remember what happened to the client?s documents. The client came back to the local branch office with more documents that same day and was informed that the original documents could not be located. …
P2017-ND-133

Combat Brand LLC

On January 25, 2017, an employee with the Organization received an email that was purportedly a request from the Organization?s President and CEO for 2016 U.S. IRS Forms W-2 (W-2). Believing the email was legitimate, the employee replied to the message and attached the W-2s. On March 6, 2017, the Organization discovered that the W-2s were sent outside the organization as part of a spear phishing email scam.
P2017-ND-132

Servus Wealth Strategies Ltd.

In April 2016, a client inquired about her 2014 tax file at a local branch office of the Organization. The local branch office informed the client that her file could not be located. The Organization reviewed the office?s storage boxes, but the file was still not located. The Organization is not sure whether the client?s file was lost, inadvertently shredded, destroyed as part of an office clean-up, or misfiled. The Organization has concluded that the …
P2017-ND-131

I Love Kickboxing LLC

In mid-March 2017, the Organization detected unusual activity on its web server environment that hosts the Canada Careers web application.
P2017-ND-130

Saint-Gobain Corporation

On September 17, 2016, a reservation clerk with the Organization unknowingly opened a phishing email which caused malware to be downloaded onto the Organization?s front desk system. On November 20, 2016, the Organization?s Head Office advised that there may have been possible fraudulent activity linked to one or more of the Organization?s hotels, and requested investigations. The Organization engaged a computer forensics expert but no breach was discovered. On May 4 and 19, 2017, two …
P2017-ND-129

Aecon Group Inc.

On August 18, 2017, a staff member left an emergency backpack containing a portable first aid kit and the information at issue at a school playground. The incident was discovered on August 21, 2017 when the same staff member looked for the backpack and could not find it.
P2017-ND-128

Match-Up Solutions LLC

On or about July 21, 2017, a now-former employee of the Organization emailed customers’ personal information from the Organization to his personal email address. Some of the information was used to generate 15 single use cards (all of which were cancelled by the Organization). The incident was discovered on July 25, 2017, when the ex-employee was found to have visited the call center after hours and used the computers, all without permission. As a result, …
P2017-ND-127

Dungarees LLC, a Missouri limited liability company

On July 8, 2017, the Organization?s Clinic Manager took home four patient charts in order to complete them in the evening. The paper charts were stored in a backpack, which was left in the Manager?s vehicle which was locked and parked in the driveway. On August 1, 2017, the Manager discovered the backpack was missing from the vehicle.
P2017-ND-126

Lulu’s Fashion Lounge, Inc.

On December 30, 2016, the Organization received an invoice in the mail. The invoice included supporting documentation submitted by an ambulance provider in Jamaica, and a signed consent by an individual authorizing the Organization to determine whether the individual was eligible to receive benefits for the services provided. The Organization found an active plan for the individual in the Organization?s system. As the plan did not cover the claim, on or around January 9, 2017, …
P2017-ND-125

General Motors Financial Company Inc.

On October 31, 2016, the Organization began investigating unusual activity reported by its credit card processor. On November 28, 2016, the Organization confirmed that malware may have stolen credit or debit card data from some credit and debit cards used at the Organization?s websites, www.swimoutlet.com and www.yogaoutlet.com, between May 2, 2016 and November 22, 2016.
P2017-ND-124

Ransomed Heart Ministries

On June 23, 2017, the Organization became aware of a potential vulnerability in the security of its website. An investigation determined that malware infected the Organization?s website as early as April 2015. It appears to have resided in the website until the system was taken offline on June 23, 2017 and may have allowed outside parties to acquire payment-related information from customers who made credit purchases through the website.
P2017-ND-123

Real Estate Council of Alberta

The Organization operates hotels in New York City. On June 6, 2017, the Organization was notified by its service provider that an unauthorized party gained access to account credentials that permitted access to unencrypted payment card data and certain reservation information for some hotel reservations processed through the service provider?s Central Reservations System (“CRS”). The unauthorized party was able to access payment card information for some hotel reservations at affected properties. The Organization reported an …
P2017-ND-122

AeroGrow International Inc.

At approximately 5:00 pm on August 2, 2017, the Organization discarded 171 client files in a locked dumpster. The file folders had a client name on the tab only. On the inside was a weigh-in sheet that recorded month/day and weight, as well as a sheet listing recipes provided in a meal plan. Both sheets had the Organization?s logo on them, although the logo did not appear on the file folder itself. At approximately 10:30 …
P2017-ND-121

World Financial Group Insurance Agency of Canada Inc.

The Organization reported ?The incident resulted in a breach of our electronic files and a number of files being accessed on September 6 [2016] by an unauthorized party outside our organization.? The incident was discovered on September 7, 2016.
P2017-ND-120

The Statesmen Group of Companies Ltd.

The Organization (a psychologist) reported that for many years, he sent documents related to his practice to his wife to be printed. His wife was employed with a group of construction companies. The psychologist, his wife, and the CEO of the construction company believed ?that the email was secure and that no one else besides my wife? had access to the information??. Following the CEO?s departure, the wife ?was downsized from her employment without cause.? …
P2017-ND-119

ISN Software Canada Ltd.

On February 19, 2015, while troubleshooting a software issue, an employee of the Organization inadvertently uploaded an Excel file containing the information at issue to the unsecured public area of a website. The incident was discovered on May 20, 2015, when security staff at two member credit unions informed the Organization that they had discovered an unprotected Excel file accessible on the internet that contained email addresses. Employees whose email addresses were listed in the …
P2017-ND-118

World Learning Center

On May 17, 2016, a teller with the Organization gathered cheques received for the day (for deposit or cash), printed a listing of items to be balanced, bundled them and believes they were taken to the scanner. On May 18, 2016, the Organization discovered that the bundle of cheques was missing and had not been scanned into the cheque scanner. The Organization searched various locations but the cheques have not been located.
P2017-ND-117

Intex Recreation Corp.

On February 17, 2016, the Organization discovered a virus on its system relating to its website. The Organization investigated and found that an unauthorized individual may have obtained access to the contact information at issue. The Organization reported that it ??does not have any direct confirmation that the information was in fact accessed.? The Organization found that no other information was accessed. The investigation indicated that the incident was isolated to a single occurrence.
P2017-ND-116

prAna

On June 7, 2017 an employee of the Organization emailed a letter containing the personal information at issue to the wrong person. The unintended recipient of the email contacted the Organization that same day to report the error. The unintended recipient agreed to delete the file , empty the recycle bin, and not discuss the contents of the letter. The letter was not encrypted or password protected.
P2017-ND-115

CIBC Wood Gundy Financial Services Inc.

On July 8, 2016, the Organization inadvertently couriered a package containing the personal information at issue to an incorrect address. The package was signed for by an individual at the incorrect address, who had the same first name as the intended recipient. On Monday, July 11, 2016, the intended recipient advised the Organization that the package had not been delivered. The Organization compared the courier delivery slip to the individual?s address information and determined that …
P2017-ND-114

United on Whyte Pastoral Charge

On February 22, 2017, the Organization discovered that key-logger software had been installed on an employee?s computer, when the employee signed into the Organization?s bank account and noticed unauthorized transactions on the account. The Organization investigated the incident and found that personal information manually entered on the compromised computer between December 22, 2016 and February 22, 2017 was potentially captured by the malware. The Organization said that it has no evidence that any personal information …
P2017-ND-112

Safe for Home Products LLC d/b/a Naturepedic

On May 4, 2016, the Organization was advised by its third-party website developer that suspicious files had been identified and removed from the e-commerce websites of the record labels for which the Organization is the distributor. The affected e-commerce websites are as follows: www.4ad.com , www.matadorrecords.com, www.roughtraderecords.com, www.truepanther.com, www.xlrecordings.com, www.theyoungturks.co.uk, or www.archive.beggars.com. Online orders placed between April 28, 2015 and May 4, 2016, may have been obtained by an unauthorized third-party.
P2017-ND-111

H & R Block Canada, Inc.

On Monday, July 10, 2017, a laptop belonging to an advisor with the Organization was stolen from the advisor?s vehicle parked at her residence. The encrypted laptop was turned off and was password protected; however, the Windows and encryption software passwords were in a notebook in the same bag as the laptop. The information at issue was stored on the laptop. The laptop was recovered the next morning on July 11, 2017 when a stranger …
P2017-ND-110

College of Physicians and Surgeons of Alberta

During the afternoon of March 24, 2017, a phishing email was sent from an executive email account to an executive assistant requesting payment of a fraudulent invoice of $42,950.00 to the perpetrator. The attacker actively managed the attack through engaging the assistant in discussion regarding the payment. The executive account was compromised to perpetrate the attack. All systems and data accessible by the executive were potentially accessible to the attacker. To date no evidence has …
P2017-ND-109

car2go Canada Ltd.

A husband and wife (the clients) set up an account with the Organization in 2015. When the account was opened, the address on the application was correct but was entered into the Organization?s system incorrectly as a result of human error. On May 11, 2017 an individual brought two documents into one of the Organization?s branches and asked staff to stop mailing documents to his address. The individual stated he threw out previous mail he …
P2017-ND-108

MicroDAQ.com Ltd.

The Organization uses a central reservations system (CRS) provided by a third party service provider. The Organization received information from the service provider that an unauthorized party obtained access to account credentials that permitted access to a subset of hotel reservations processed through the hospitality CRS. The unauthorized party used the account credentials to view a credit card summary page on the hospitality CRS and to access payment card information. The unauthorized access first occurred …
P2017-ND-107

Shutterstock Music Canada ULC dba Premium Beat

The Organization was notified that an unauthorized party obtained access to information associated with payment cards used to book hotel reservations through a central hotel reservation system (CRS) subcontracted by the Organization?s travel partner, American Express. The Organization understands from the subcontracted service provider that the attacker obtained access to account credentials that permitted access to a subset of hotel reservations processed through the CRS. The unauthorized access took place between August 10, 2016 and …
P2017-ND-106

EVO Payments International Corp. – Canada

On May 15, 2017, the Organization received an email from Dropbox referencing an access to a Dropbox account from Singapore, but noting that the location may be inaccurate because it was estimated using the IP Address recorded by Dropbox. The Dropbox account contained certain personal information of former and present clients of the Organization, as well as clients and research participants of other organizations or clinics. The Organization was unable to obtain additional details of …
P2017-ND-105

geoLogic Systems

On June 6, 2017, the Organization was notified by its service provider that an unauthorized party gained access to account credentials that permitted access to payment card data and certain reservation information for some hotel reservations processed through the service provider?s Central Reservations System (“CRS”). The unauthorized party was able to access payment card information for some hotel reservations at affected properties. The service provider?s investigation found that the unauthorized party first obtained access to …
P2017-ND-104

Gianni Pezzente Professional Corporation

On June 25, 2017, a storage device was stolen which may have contained personal information as of 2014 for current and former employees of the Organization. The Organization did not report recovering the storage device.
P2017-ND-103

Acer Service Corporation

On June 13 or 14, 2017, the vehicle of an employee with the Organization was broken into and the employee?s briefcase was stolen. The briefcase contained income tax documents of a client adverse in interest in litigation. The theft was discovered on June 14, 2017.
P2017-ND-102

Loblaw Companies Limited

On June 9, 2017, an employee with the Organization had his personal vehicle broken into. The employee?s work computer was stolen from the vehicle along with other items. The information at issue was stored on the laptop. The theft was discovered the same day. The laptop was password protected but not encrypted. It has not been recovered.
P2017-ND-101

Walmart Canada Corp.

The Organization experienced malicious point-of-sale terminal intrusions at select centers between March 2, 2017 and June 15, 2017. A relatively small number of transactions with this time period were affected, however, the Organization believes this may have put students? personal information at risk.
P2017-ND-100

The Topps Company, Inc.

On November 20, 2015, several of the Organization?s employees received a phishing email. Four staff email accounts were compromised as a result of these employees opening and executing the embedded link in the phishing email. Additional phishing emails were generated and sent from the compromised staff accounts, and in at least one case, filters were set up to direct all incoming emails to trash. It does not appear that compromised email accounts were used to …
P2017-ND-099

Marin Software Incorporated

In June 2015, Calgary Police Service (CPS) contacted the Organization regarding information found as part of an interprovincial identity theft investigation that led to the arrest of an individual. The CPS informed the Organization that cellphone photographs of paper documents that appear to be from the Organization?s offices (rental applications) were found on the arrested individual?s computer. The individual is not known to the Organization. The CPS believes that the personal information was compromised sometime …
P2017-ND-098

United Farmers of Alberta Co-operative Limited

On May 2, 2017, an employee of the Organization mailed a death benefit cheque to the deceased?s address, instead of the beneficiary?s address. The deceased is the beneficiary?s former spouse. The incident was discovered on May 12, 2017 and the Organization contacted the beneficiary to advise of the error. The beneficiary expressed concern that the mailing would likely be opened by a member of the deceased?s family. As a result, the family would learn the …
P2017-ND-097

B. Lane, Inc. d/b/a Fashion to Figure

The Organization reported that, between mid-November and December 17, 2014, an employee responsible for recruitment, with authorized access to the Organization?s scheduling software database, accessed and ran a number of human resource reports without a legitimate business purpose. These reports contained personal employee information of the Organization?s employees. Shortly thereafter, the Organization received complaints from approximately five to ten employees who claimed that individuals identifying themselves as union representatives had arrived at their homes and …
P2017-ND-096

Sun Life Assurance Company of Canada

Sometime between April 5, 2016 and April 6, 2016, a laptop was stolen from a locked office. The laptop was password protected but not encrypted. Files containing client information stored on the laptop were password protected but not encrypted.
P2017-ND-095

Matson Navigation Company and Horizon Lines

The Organization?s software crashed, so when individuals called in to become members or reinstate their membership, employees of the Organization wrote down membership information to process later. A temporary worker was hired to collect the membership information and enter the members? information into the computer. The Organization suspects that the temporary worker kept some of the members? information after entering it into the computer once the software was fixed. On June 1, 2015, the Organization …
P2017-ND-094

Direct Energy Marketing Limited and Direct Energy Regulated Services

The Organization began investigating when some of its guests noticed unauthorized charges appeared on their payment cards used at the Organization?s properties. On September 25, 2015, the Organization learned that malware may have been installed on payment processing systems that potentially affected payment cards swiped at certain properties between December 29, 2014 and August 11, 2015.
P2017-ND-093

Brandeis University

On June 28, 2015, sometime between 4:00 a.m. and 9:00 a.m., a vehicle belonging to an employee of the Organization was broken into. A client binder with one family?s personal information was stolen from the trunk. A company assigned iPad was also taken. The iPad was password protected, but not encrypted. The incident was discovered the same day, at 9:00 a.m. The iPad was wiped remotely by 9:30 a.m. The binder was found on July …
P2017-ND-092

Manulife Financial

On December 15, 2015, the Organization?s premises were broken into. The incident was discovered the next day, December 16, 2017. A binder with emergency contact information and two computers were stolen, along with assorted other items. The computers did not have any personal information stored on them. The binder has not been recovered.
P2017-ND-091

Dentons Canada LLP

On July 14, 2014, an individual entered one of the Organization?s stores in British Columbia purporting to be a customer of the Organization. The individual requested a copy of her customer transaction history and registration form, and provided a social insurance card and native status picture ID card as identification. A clerk reviewed the identification, matched the information with the Organization?s records, and proceeded with the transaction. The information at issue was provided to the …
P2017-ND-090

Scott Builders Inc.

On July 14, 2016, two emails that were intended to be sent to a member were inadvertently sent to an incorrect email address. On October 6, 2016, the member contacted the Organization to discuss another matter and during the conversation it was discovered that the member did not receive the emails sent on July 14. The emails were not recovered.
P2017-ND-089

Scripps Networks, LLC

An employee of the Organization gave a bank account number and ATM card to the wrong member. The incident was discovered on December 2, 2016, when an employee noticed that the age of the member on the account did not match the age of the member completing a transaction. As a result of the incident, a number of unauthorized transactions were made on the affected account between November 9, 2016 and December 2, 2016. The …
P2017-ND-088

Equitable Life of Canada

On June 16, 2017, an email was sent to an incorrect email address. There were 5 attachments to the emails, which contained signature pages for electronic filings for a client and his wife. The incident was discovered on June 19, 2017 when the client contacted the Organization to question why he had not received the email. The email was not encrypted, nor password protected. The Organization emailed the incorrect address to advise of the error …
P2017-ND-087

Muji USA, Ltd.

On April 11, 2017 an employee of the Organization received a completed Pre-Authorized Contribution form from a client. The form provides consent to withdraw an agreed payment amount from a client?s account, and included the personal information at issue. That same day, an employee of the Organization inadvertently included the form in an email sent to another client. The unintended recipient contacted the Organization on April 13, 2017 to report the incident. The Organization contacted …
P2017-ND-086

Peter Michael Winery

On February 23, 2017, the Organization noticed unusual activity relating to customer online transactions. The Organization investigated and found that an unknown third party had compromised its e-commerce system, potentially affecting customer payment card information. The incident may have affected online transactions on the Organization?s e-commerce website from October 26, 2016 to January 31, 2017.
P2017-ND-085

EyeBuyDirect, Inc.

On July 13, 2015 the Organization?s intrusion detection system identified potential malware activity on 3 servers. The Organization initiated an investigation and hired a third party forensic investigator. The investigation determined the incident involved malware that targeted data on the server between April 21, 2015 and July 27, 2015. The forensic investigators concluded that there was no direct evidence that the payment card information was removed or taken. The Organization was notified on November 19, …
P2017-ND-084

Wood Law Office

On February 10, 2015, the Organization was notified by a service provider of potential malware activity targeting its payment card systems on a server. The Organization initiated an investigation and hired a third party forensic investigator. The investigation revealed 2 malware output files containing payment card information on an Organization server. The malware targeted the systems between November 18, 2014 and December 5, 2014. The forensic investigator concluded that there was no direct evidence that …
P2017-ND-083

Avenue Living (2014) LP

An unauthorized user gained administrative access to the Organization’s vendor?s systems on April 23-24, 2016, and issued commands to delete all the data housed on the vendor?s servers. That data may have included the information at issue, which had been collected by the vendor on the Organization?s behalf. While there is no evidence that credit card data was accessed or acquired by an unauthorized user, or that the unauthorized user intended to steal data, the …
P2017-ND-082

RS Energy Group Canada, Inc. and RS Energy Group, Inc.

On or about June 20, 2016 the Organization learned that personal information of a member that was stored on the computer system of a vendor may have been compromised. The vendor advised the Organization that its computer system was affected by ransomware/malware and an unauthorized user gained access to data on the computer system.
P2017-ND-081

Canadian Tire Corporation Limited

The Organization uses a third party vendor to assist with its membership renewal outreach. On June 27, 2016, the vendor informed the Organization that an unauthorized individual gained access to the vendor?s system on April 24, 2016, and deleted membership information that was collected between August 17, 2015 and April 24, 2016. The vendor reported that its investigation did not reveal any evidence that the personal information was accessed or acquired by the unauthorized individual.
P2017-ND-080

JAM Paper & Envelope

On May 31, 2017, an employee of the Organization sent an email message to the email addresses of approximately 300 customers. The email informed customers that their account was in arrears and requested they contact the Organization immediately in order to resolve the missed payment. The email addresses of all recipients were included in the “To” address line instead of the intended “BCC” address line, inadvertently disclosing the email addresses to all of the recipients. …
P2017-ND-079

Grass Advantage, LLC d/b/a Amazing Grass

On July 31, 2016, an employee of the Organization mistakenly saved an electronic spreadsheet containing the information at issue to an internal public server accessible to all employees of the Organization. The spreadsheet was exposed for approximately one day from July 31, 2016 to August 1, 2016. The incident was discovered on August 31, 2016. The Organization reported at least two employees accessed the spreadsheet and shared the personal information with other employees, including local …
P2017-ND-078

Bulletproof 360, Inc.

On June 27, 2016 the Organization learned that one of its vendors had been the victim of a potential computer intrusion. An unauthorised user gained administrative access to the vendor?s systems on April 23-24 2016, and issued commands to delete all the data housed on the vendor?s servers. That data may have included the information at issue, which had been collected by the vendor on the Organization?s behalf. There is no evidence indicating that credit …
P2017-ND-077

Kids & Company Ltd.

On February 8, 2017, an employee with the Organization discovered that she had access to employee files she did not normally have access to and reported it to the Organization. The Organization investigated and found that permission settings on shared file drives were lost during migration of data to a new server. The Organization reported it is possible unauthorized access began in January 2015 when the server was provisioned and data migrations began. The information …
P2017-ND-076

Tween Brands Canada Stores Ltd., operating under the Justice brand

On February 27, 2017, an employee parked one of the Organization?s vehicles outside the employee?s home in Airdrie, Alberta. On February 28, 2017, the employee discovered the van had been stolen. The van was recovered; however, on March 3, 2017, the Organization ?determined that along with various locksmith equipment, a single invoice and a credit card slip for work the Employee performed for a single customer (the previous day had also been stolen from the …
P2017-ND-075

Weebly, Inc.

On or around August 24, 2016, hackers inserted malware into the software supporting the Organization?s website www.ubteam.com. The malware was present until on or around January 9, 2017 when it was discovered by a third party cyber security specialist.
P2017-ND-074

ABC Carpet and Home

On February 2, 2017, the Organization began investigating unusual activity reported by its credit card processor. On February 23, 2017, the Organization discovered that it was the victim of a cyber-attack that resulted in the potential compromise of some customer?s debit and credit card data used at www.kurufootwear.com between December 20, 2016 and March 3, 2017.
P2017-ND-073

New World Hotel Management Limited (d/b/a Rosewood Hotel Group)

On April 21, 2017, the Organization discovered that an unauthorized third party uploaded malicious computer code to the system that hosts the Organization?s website, Charbroil.com. The Organization believes the code was present when customers made purchases via the online store during approximately March 22, 2017 and April 21, 2017, and that the code may have been used to obtain customer payment card transaction information for a limited number of transactions during that time.
P2017-ND-072

Six Continents Hotels, Inc., a franchisee of Intercontinental Hotels Group Company

On April 28, 2017, a vehicle belonging to an employee of the Organization was stolen. The vehicle contained customer account records, in paper format. The incident was discovered the same day. To date, the information has not been recovered.
P2017-ND-071

Western Union Financial Services Inc.

On May 29, 2015, the Organization identified an unauthorized user in its computer system. Information in the Organization?s user database includes the user?s public profile that is publicly displayed on the Organization?s platform and non-profile information that is used for internal purposes. The attack was identified and terminated while the Organization was investigating the incident. The Organization determined that only a partial file containing user records may have been transmitted outside of the Organization?s systems.
P2017-ND-070

Owner’s Assocation of Rivertide Suites

On April 10, 2016, a vehicle belonging to an employee of the Organization was burglarized in the United States. A company laptop containing personal information of customers was stolen. The laptop was password protected but not encrypted. The laptop has not been recovered to date.
P2017-ND-069

Olympia Trust Company

On April 11, 2017, the Organization confirmed there was unauthorized remote access to its e-commerce store server www.RandMcNally.com. The access began on April 12, 2016 and resulted in the installation of malware on the server. The Organization determined that between April 12, 2016 and March 2, 2017, the malware collected or may have collected data relating to customers who made purchases through the e-commerce store using a credit card or debit card.
P2017-ND-068

Ericksen M-B Ltd. (o/a Mercedes-Benz Heritage Valley)

On January 23, 2017, the Organization became aware that a hacker had gained access to its systems and downloaded a malicious executable file to a number of servers and workstations. The Organization reported the unauthorized access occurred on January 11, 2017.
P2017-ND-067

IHS Global Canada Ltd.

On October 27, 2016, the Organization inadvertently emailed pay stubs of 17 employees of the subsidiary company to two current employees and two former employees. On the same day, one of the individuals who received the email notified a Supervisor with the subsidiary company of the incident. The subsidiary advised the Organization of the incident on October 28, 2016. The Organization requested the individual who sent the email to delete it, and contacted recipients of …
P2017-ND-066

Sun Life Assurance Company of Canada

On or about August 5, 2016, the Organization?s property management company forwarded an email thread containing the information at issue to a third party contractor. On August 14, 2016, the Organization was contacted by an individual advising that the property management company had forwarded her original emails to the third party contractor.
P2017-ND-065

Ivari Canada ULC

On January 25, 2017, the Organization began investigating unusual activity reported by its credit card processor. The Organization worked with third-party forensic experts to investigate the reports and to identify any signs of compromise on its systems. On February 23, 2017, the Organization discovered that it was the victim of a sophisticated cyber-attack that resulted in the potential compromise of some customers’ debit and credit card data used at www.fightgear.com, www.fitness1st.com, www.ringside.com, and www.combatsports.com between …
P2017-ND-064

Future Values Estate and Financial Planning

On April 7, 2017, a bag containing a laptop and four paper copy insurance applications were stolen from an employee’s vehicle. The laptop was encrypted and protected by password; however, the paper files were not protected and are not expected to be recovered. The incident was discovered on April 8, 2017 when the employee noticed that the bag was missing from the vehicle.
P2017-ND-063

Thirty-One Gifts Canada Inc.

On or about March 24, 2017, the Organization?s third-party cybersecurity team determined that the Organization was the target of a sophisticated cyber-attack. The Organization investigated and determined that the personal information of Alberta residents stored on an electronic database may have been accessed intermittently between October 2016 and early January 2017 by unauthorized persons.
P2017-ND-062

Atlantic Cigar Company, LLC

In March 2017, the Organization discovered that a third party obtained unauthorized access to the MyPay system hosted and serviced by the Organization?s third-party service provider. The system is an electronic platform that provides the Organization?s employees with web-based access to employment information and payment records through an on-line portal. The service provider investigated, and determined that a third-party accessed the online portal by manipulating the login features. The information was exposed between approximately April …
P2017-ND-061

Alberta Mining Corporation Limited (including a number of subsidiaries and the Robert F Ruben trust)

On or about December 8th, 2016, a phishing email was received by an employee of the Organization which went undetected and the employee’s credentials were provided to the malicious attacker. The attacker then accessed the employee’s Outlook Web Access and added an email forwarding rule so all emails received by the employee were also forwarded to the malicious attacker’s mailbox. This resulted in data leaving the Organization’s control and being inadvertently disclosed, including the personal …
P2017-ND-060

The Great-West Life Assurance Company

On May 3, 2016, the Organization learned that online stores it maintained for one of its clients may have been compromised. The Organization investigated and found that one or more unauthorized individuals may have gained access to the e-commerce platform and inserted malware. The Organization believes that customers? personal information may have been accessed by an unauthorized third party between December 7, 2015 and May 3, 2016.
P2017-ND-059

Sun Life Global Investments

On May 15, 2015, the Organization was notified by a customer about suspicious credit card activity. The Organization investigated, and found that after a migration of the Organization?s website from one server to another, the Organization was hacked by a foreign entity. A forensic investigation revealed that malware had been active between March 26, 2015 and June 5, 2015. As a result, the Organization believes that its customers? personal information may have been accessed by …
P2017-ND-058

Noble House Hotels and Resorts

One of the Organization?s servers was compromised between August 11 and August 16, 2016, resulting in unauthorized access to personal information stored on it. The Organization discovered the incident on August 23, 2016.
P2017-ND-057

Dorward & Company LLP Chartered Accountants

On May 20, 2015, the Organization was notified by local law enforcement that found print-outs from its customer files had been found in a stolen vehicle. A total of 8 customer files were found. The Organization investigated and determined an employee improperly accessed the customer files identified by police. The Organization also determined that the employee accessed other customer files over a span of approximately 7 years. The On June 4, 2015, the Organization became …
P2017-ND-056

Aimbridge Hospitality Holdings, LLC

On June 8, 2015, the Organization?s web hosting company detected possible malicious activity involving its website. Within hours of discovery, the hosting company secured the website. The incident was reported to the Organization on June 15, 2015. The Organization reported the information may have been exposed for six weeks and there was evidence of malicious code.
P2017-ND-055

Hyatt Hotels Corporation

On November 1, 2016, the Organization sent two separate emails to owners and tenants respectively to notify them about the license suspension of a property management company. In both cases, email addresses of all recipients were included in the “To” line instead of the “BCC” line, disclosing all email addresses to the recipients. Fourteen (14) of the emails bounced back as un-deliverable. On November 3, 2016 an employee of the suspended brokerage firm reported the …
P2017-ND-054

Desjardins Financial Security Insurance

The Organization was alerted that some of its customers had experienced credit card fraud. The Organization initiated an investigation into the matter and found there had been unauthorized access to the Organization?s website. The Organization discovered the incident on May 5, 2015. Malware that had been installed was removed. On June 10, 2015, the Organization discovered and removed additional malware from the website. The Organization reported that the website may have been compromised between October …
P2017-ND-053

Duck Inn Daycare and Out of School Care

On August 19, 2016, in Calgary, Alberta, a locked vehicle belonging to an authorised agent (contractor) of the Organization was broken into. A laptop and paper file in a briefcase containing the personal information at issue were taken from the vehicle. The agent discovered the loss the same day when he returned to his car. The information has not been recovered.
P2017-ND-052

Avis Budget Group, Inc.

On September 6, 2015, an employee?s vehicle was broken into and a hard drive containing a copy of the Organization?s server was stolen. The theft was discovered on September 7, 2015. The hard drive was locked in the vehicle in a detached garage. The hard drive has not been recovered. The hard drive had no technical security.
P2017-ND-051

Centerfire Contracting Limited Partnership

An employee of the Organization received an email which appeared to be from the Organization?s CEO. The email requested information about the Organization?s employees in Excel format. The employee responded to the email, attaching a password protected Excel spreadsheet containing the requested personal information. The Organization discovered the breach on February 2, 2016.
P2017-ND-050

Canadian Blood Services

On November 21, 2016, a laptop computer owned by a faculty member of the Organization?s School of International Training Study Abroad Finance program was stolen in Geneva, Switzerland. The information at issue was stored on the laptop. The laptop was password protected but not encrypted The Organization reported there is no evidence indicating that the security of the password has been compromised. The laptop has not been recovered.
P2017-ND-049

Goldenvoice, LLC

On November 16, 2016, the Organization learned of the potential compromise of certain personal information of its customers. The Organization immediately launched an investigation which found that unauthorized and malicious code may have been inserted into the company’s website. The incident occurred between approximately April 24, 2016 and December 14, 2016.
P2017-ND-048

YWCA of Calgary

On February 6, 2017, the Organization detected that an unauthorized third party may have obtained access to the servers that operate its e-commerce website, www.prana.com. The Organization investigated and found that an unauthorized third party installed code that was designed to capture information as it was being entered on the site during the checkout process for orders placed from December 14, 2016 to February 6, 2017. The Organization believes the unauthorized third party may have …
P2017-ND-047

H&R Block Canada, Inc.

On February 3, 2017, an envelope intended to be mailed to clients was mailed to the clients? former address. The envelope contained paper documents that included the information at issue. The Organization was contacted by a client via email on February 17, 2017, advising they had not received the envelope. On February 20, 2017, the Organization determined that the envelope was mailed to the clients’ former mailing address. The Organization contacted the current resident of …
P2017-ND-046

Geokinetics Inc.

Between December 20, 2015 and December 22, 2015, the Organization experienced a break-in and a laptop computer was stolen from a locked office. The information at issue was stored on the laptop, which was password protected but not encrypted. The laptop has not been recovered.
P2017-ND-045

H&R Block Canada, Inc.

On October 28, 2016, ?during an extensive scan?, the Organization learned that encrypted malware was placed on its www.naturepedic.com website. The malware copied information entered to the website to create online accounts used to place orders between June 6 and October 28, 2016.
P2017-ND-044

McDonald?s Restaurants of Canada Limited

On February 17, 2016, a customer entered the Organization?s office in Lacombe, Alberta, to pick up completed tax forms and money orders. The customer was inadvertently handed an envelope that contained the tax return summary of another individual. The incident was discovered that same day when the Organization?s employee realized the error. The employee contacted the unauthorized recipient to advise of the error. The unauthorized recipient confirmed the money orders were already deposited at an …
P2017-ND-043

Best Western Plus Wine Country Hotel & Suites in West Kelowna, operated by 626498 Alberta Ltd.

On July 29, 2016, the Organization?s Practice Visitor realized a CD storing patient information was missing. The CD had been provided to the Practice Visitor by the affected individual?s physician as part of a quality assurance practice visit. The CD was used in three locations on July 27 and 28, 2016, including the physician?s office, the Practice Visitor?s vehicle (used to transport the CD), and the Practice Visitor?s office. Despite extensive searches, the missing CD …
P2017-ND-042

New England College of Optometry

On or about December 23, 2016, the Organization noted fraudulent activities within its systems after some members reported unauthorized activities on their accounts. The Organization also noticed changes to member data and requests for new numbers, as well as unusual activity concerning vehicle use and trip duration. The Organization found there had been a brute force attack against its system in late December, whereby unauthorized third parties accessed member accounts using lists of email/password combinations …
P2017-ND-041

King Edward Child Care Society

On September 22, 2016 customers of the Organization reported credit cards being used in a fraudulent way. The Organization learned that a third party embedded malware onto its ecommerce website that apparently caused some customers’ financial information to be covertly sent to an unassociated email address. Customers who purchased products from the Organization?s website, www.MicroDAQ.com, between September 4 and September 22, 2016 may have been affected.
P2017-ND-040

Fareportal, Inc.

On September 29, 2016 the Organization became aware of unauthorized access to its database through a vulnerability in a third party plugin to software used on its website. Through malware infecting software on the server, the perpetrator was able to download user information.
P2017-ND-039

Millbourne Sports Plus Physiotherapy Clinic

On December 8, 2015, the Organization was informed by another company that a former employee of the Organization had accessed an electronic file containing the information at issue. The former employee had been employed with the Organization between July and October 2014 and was not authorized to access the file. The Organization?s investigation confirmed that the information of 41 former and current independent sales agents was used to commit fraud (opening fraudulent accounts for mobile …
P2017-ND-038

Alberta Blue Cross

On December 20, 2016, an unknown individual accessed the email account of the Organization?s CEO and established a ?mail forward? function such that all emails delivered to the account were forwarded to an unauthorized Gmail email account. The Organization reported ?The content of the e-mails and the various attachments related to corporate and business activities and transactions? and some of it was innocuous, consisting of read receipts, and newsletter subscriptions. Some were internal company emails. …
P2017-ND-037

Spiraledge, Inc.

On October 6, 2016, a vehicle was broken into and a backpack was stolen. The backpack contained tax returns (paper) and may have contained a backup USB drive. The USB drive may or may not have been password protected or encrypted. No misuse of personal information has been reported; however to date the personal information has not been recovered.
P2017-ND-036

Native Canada Footwear Ltd.

On April 26, 2016, the Organization discovered that during the testing and roll out of the Organization?s ecommerce the debugging mode was inadvertently turned on, which stored payment card transaction data into plain text. An unauthorized third party subsequently exploited a misconfiguration in the Organization?s ecommerce servers to gain access to and acquire the information at issue. The intrusion potentially exposed the personal information of individuals who made purchases using the ecommerce site between May …
P2017-ND-035

Hartz Hotel Services, Inc.

The Organization operates a points rewards loyalty program known as PC Plus. On December 9, 2016, the Organization received several calls from PC Plus members concerning the disappearance of rewards points from their membership accounts. The Organization?s investigation confirmed member accounts had been targeted by threat actors operating in the Internet “dark web?. It appears fraudulent redemption of points began December 1, 2016. The Organization believes member accounts were accessed using usernames and/or passwords stolen …
P2017-ND-034

2037206 Alberta Ltd. D/B/A Simply For Life

One of the Organization?s service providers suffered a security compromise on its website, which in turn affected the online services available to the Organization?s customers. A forensic investigation revealed that malware had been active between June 19, 2014 and July 15, 2015. As a result, the Organization believes that its customers? personal information may have been accessed by an unauthorized third party during that time.
P2017-ND-033

National Bank Investments

One or more intruders gained unauthorized access to the Organization?s website (www.topps.com) and installed malware. The intruder(s) may have accessed the information at issue for customers who placed orders through the website between approximately July 30, 2016 and October 12, 2016. The Organization?s website development company discovered the incident on October 12, 2016.
P2017-ND-032

Spectrum Psychological Inc.

On January 20, 2017, an unauthorized individual sent an email requesting employee payroll information and 2016 W-2 forms. The email appeared to have been sent by an Executive with the Organization. In response, a payroll employee with the Organization created a spreadsheet report and provided it, via email, to the requestor. The incident was discovered on January 24, 2017.
P2017-ND-031

Graphik Dimensions, Ltd.

On August 16, 2016, the Organization received an email from an individual requesting an email address be linked to a customer account. The Organization approved the request, which allowed the individual to access the account and make changes. On September 30, 2016, the Organization became aware there had been a breach when a customer contacted Customer Service to report he had not received his monthly account statement.
P2017-ND-030

Central 1 Credit Union

On October 16, 2015, the Organization noticed that a page on its website, which was managed by a third party web hosting firm, was loading slowly. An investigation was immediately conducted, which indicated that malware had been installed on the hosting firm?s webserver on or around May 19, 2015. The information at issue was stored on the webserver. The Organization reported that it ?has not received any forensic evidence from its former third party web …
P2017-ND-029

First Calgary Financial a division of Connect First Credit Union Ltd.

On October 14, 2015, the Organization mailed investment confirmation notices to 49 clients. Between October 19 and October 29, 2015, the Organization received reports from five (5) clients advising that they received investment notices belonging to other clients, along with their own. The Organization contacted the 5 unintended recipients that reported the incident. Four (4) of the 5 returned the notices they received in error to the Organization. The 5th unintended recipient stated he would …
P2017-ND-028

Beacon Consumer Holdings Inc.

An external removable hard drive was last backed up on November 9, 2015 and was on a ship that was in dry dock in China during November 2015. After a subsequent journey involving rough seas, the device was discovered to be missing on December 7, 2015, after the ship returned to port in Tacoma, Washington. The personal information at issue was stored on the device, which was password protected but not encrypted. The device has …
P2017-ND-027

College of Licensed Practical Nurses of Alberta

On September 2, 2015, the Organization was notified by the Office of the Information and Privacy Commissioner that a complaint had been received concerning the Organization?s practices. The Organization initiated an investigation, and discovered that on four separate occasions (January 9, 2015, April 29, 2015, June 5, 2015 and June 12, 2015) communications from one of the Organization?s service providers had been emailed to customers in error. In brief, emails addressed to Customer A included …
P2017-ND-026

Gowling WLG

On October 26, 2015, the Organization discovered that two university computers were stolen from the Registrar’s office over the preceding weekend. The University’s incident response team immediately investigated. The stolen computers were password protected.
P2017-ND-025

Dalmac Oilfield Services Inc.

In April 2015 the Organization received a complaint from a client which prompted an internal audit. The audit found that unknown individuals purchased personal information from an employee of the Organization (now former employee) and used that information to call in to the Organization, authenticate as members and gain access to online accounts. The unauthorized individuals changed member banking information, requested withdrawals be directed to fraudulent bank accounts, and submitted forged withdrawal request forms and …
P2017-ND-024

Matador Recordings, LLC

On October 10, 2015, an email was sent to all of the Organization’s personnel and select global leaders with an incorrect attachment. The attachment contained the personal information at issue. The Organization took steps to retrieve the email and attachment, however it was viewed by approximately 40 individuals in Canada.
P2017-ND-023

Sun Life Assurance Company of Canada

On December 7, 2015, the Organization discovered an unauthorized user was logged on to its computer system and was in the payroll auto deposit module.
P2017-ND-022

Brion Energy Corporation

On August 31 2015, the Organization received a message from an individual claiming he had identified a vulnerability in the Organization?s Food.com website that allowed him to access certain personal information of the website?s users. The Organization investigated and, on September 16, 2015, determined that an intruder had accessed the Organization?s system between August 8, 2015 and September 2, 2015. The intruder may have had unauthorized access to, and potential acquisition of, some customer personal …
P2017-ND-021

Agcapita Farmland Fund VI

An incorrect address was entered into the Organization’s Group administration system for a certificate holder making a claim. The actual address entered was for a customer’s wife’s exhusband. As a result, a letter was sent to the wrong address on October 1, 2015. The incident was discovered on October 23, 2015 during a telephone conversation between an employee of the Organization and the affected individual.
P2017-ND-020

HSBC InvestDirect, a division of HSBC Securities (Canada) Inc.

The Organization believes that an unauthorized third party used malicious software (malware) to infiltrate its on-line server and collect personal information. The incident potentially affected individuals who made on-line purchases between January 22, 2015 and July 20, 2015.
P2017-ND-019

Magellan Vacations (operating as Magellan Luxury Hotels)

On May 27, 2015, the Organization was notified by its e-commerce vendor that an unauthorized third party breached the vendor?s systems on April 12, 2015, and may have accessed personal information of the Organization?s customers stored in the vendor?s database. The vendor discovered evidence of the breach on May 13, 2015 and notified the Organization on May 27, 2015.
P2017-ND-018

Activision Blizzard, Inc.

On June 16, 2015, the Organization learned that hackers using a Russian IP address gained unauthorized access to the Organization?s website. The Organization?s website was accessed between February 9 and May 30, 2015. During this time, the unauthorized individual(s) may have accessed the information at issue.
P2017-ND-017

Registered Psychologist, Alberta

In May 2016, the Organization was informed by its IT department that two (2) hard drives were missing. An ex-volunteer admitted to taking the drives and refused to return them. It appears the ex-volunteer was working with an ex-tenant. The ex-volunteer was arrested and charged.
P2017-ND-016

Loews Hotels & Co.

On October 8, 2016, the Organization was informed by LeakedSource.com that a file containing the information at issue from the Organization?s database was copied by an unauthorized party and made available on the dark web. The unauthorized access to the information at issue is believed to have occurred between October 2015 and February 2016. No payment card data or data about end-users (eCommerce customers) was involved.
P2017-ND-015

Open Text Corporation

On June 4, 2015, an email containing the personal information at issue was sent to a client?s correct email address, but also copied to an incorrect email address. The incident was discovered on June 9, 2015, when the client reported the email was sent to an incorrect email address and expressed concern that someone else may have access to his personal information.
P2017-ND-014

Dolden Wallace Folick LLP

On July 13, 2015, the Organization?s emergency back pack was lost or stolen at an outside event. The back pack contained a binder with the personal information at issue. A search for the binder was conducted, but was not successful.
P2017-ND-013

PrairieCoast Equipment Inc.

On or around May 11, 2015, the Organization learned that a recently departed employee hired through a staffing agency stole and used some credit card numbers without authorization. The Organization believes the individual may have had access to credit card information between October 2014 and May 2015, and may have physically written down or copied credit card information. Reported by US law firm.
P2017-ND-012

GolfTec Enterprises, LLC

On or around November 29, 2016, the Organization?s investigation confirmed that an unidentified third party had injected malicious code into the Organization?s e-commerce website (pictureframes.com). The malicious code enabled the unidentified third party to acquire credit card information while purchases took place. The Organization?s investigation revealed that the access occurred between July 12, 2016 and November 30, 2016.
P2017-ND-011

The Empire Life Insurance Company

On August 18, 2016, an employee of the Organization began to receive ?Non Delivery Reports? for email(s) undeliverable to an unknown mailbox. After an internal investigation, the Organization discovered that a corporately owned webmail account assigned to an employee of the Organization was compromised such that all incoming email received through the account between July 17, 2016 and August 16, 2016 was automatically being forwarded to an unauthorized Gmail account.
P2017-ND-010

Enercapita Energy Trust

On August 18, 2016, an employee of the Organization began to receive ?Non Delivery Reports? for email(s) undeliverable to an unknown mailbox. After an internal investigation, the Organization discovered that a corporately owned webmail account assigned to an employee of the Organization was compromised such that all incoming email received through the account between July 17, 2016 and August 16, 2016 was automatically being forwarded to an unauthorized Gmail account.
P2017-ND-009

Equicapita Income Trust

On August 18, 2016, an employee of the Organization began to receive ?Non Delivery Reports? for email(s) undeliverable to an unknown mailbox. After an internal investigation, the Organization discovered that a corporately owned webmail account assigned to an employee of the Organization was compromised such that all incoming email received through the account between July 17, 2016 and August 16, 2016 was automatically being forwarded to an unauthorized Gmail account.
P2017-ND-008

Rhocore Income Trust

On August 18, 2016, an employee of the Organization began to receive ?Non Delivery Reports? for email(s) undeliverable to an unknown mailbox. After an internal investigation, the Organization discovered that a corporately owned webmail account assigned to an employee of the Organization was compromised such that all incoming email received through the account between July 17, 2016 and August 16, 2016 was automatically being forwarded to an unauthorized Gmail account.
P2017-ND-007

Indigo Books and Music Inc.

On June 8, 2015, the Organization received two separate reports from customers of unauthorized electronic gift card transactions made on June 5. The Organization investigated and found that an unauthorized individual had gained access to 102 customer accounts using valid credentials. The Organization reported that its own customer systems had not been compromised and so the authentication credentials used for accessing the accounts were accessed using email address and password combinations obtained from a website …
P2017-ND-006

College and Association of Registered Nurses of Alberta

On February 10, 2015, a Registration Assistant with the Organization emailed copies of a member?s driver?s license, passport, and communication thread to the wrong individual. The unintended recipient contacted the Organization on February 17, 2016, one year later, and reported the error. The unintended recipient confirmed she destroyed copies of the original email and attached documents. The email was sent without a password or encryption.
P2017-ND-005

Hyatt Hotels Corporation

On November 30, 2015, the Organization confirmed the presence of malware designed to target payment card data. The Organization’s investigation indicated potential unauthorized access to payment card information from cards used at certain managed locations or provided to a sales office between August 13, 2015 and December 8, 2015, as well as on or shortly after July 30, 2015 for a limited number of cards. On January 18, 2016 the Organization?s call center was contacted …
P2017-ND-004

eScreen Canada ULC

An employee of the Organization sent records containing occupational health screenings to his personal email account, then began a leave of absence. He was subsequently terminated on March 29, 2016. On April 18, 2016, the Organization received a report that the former employee had made use of the records containing personal information during an April 6, 2016 meeting with a third party organization.
P2017-ND-003

Servus Credit Union Ltd.

A bank account number and transactional information was given to an unauthorized person in error. This caused unauthorized transactions to occur on the account. Both members in question have the same first and last names. The incident was discovered on April 6, 2016 when the unauthorized member received a printout of transactions occurring on the account and questioned some of the activity.
P2017-ND-002

Conner, Clark and Lunn Private Capital Ltd.

On March 18, 2016, the Organization contracted a courier service to deliver a new account documentation package to a client. On March 23, 2016, the Organization received a call from the courier service advising that the vehicle containing the package was broken into and the package was stolen. The package with documentation has not been recovered.
P2017-ND-001

Accuform Manufacturing Inc. and Safety Marketing Services LLC

On September 21, 2015, the Organization learned that its computer network had been accessed by an unauthorized third party and ?one or more parties operating through foreign countries illegally accessed [the Organization?s] computer network and exfiltrated copies of orders??. Although the information at issue is primarily for corporate credit cards, it could also involve credit cards belonging to individuals.
P2016-ND-70

Springfield, Inc. (d/b/a Springfield Armory)

On October 5, 2016, the Organization discovered that an unauthorized person(s) gained access to the web server and installed code that was designed to copy information entered during the checkout process. The incident occurred between October 3, 2015 and October 9, 2016.
P2016-ND-69

Real Estate Council of Alberta

On November 11, 2016, during a system upgrade, a technical error occurred that allowed individual real estate professional licensees logged into the online licensing system to view not only their own personal information, but also the personal information of other real estate professional licensees who were logged into the system at the same time.
P2016-ND-68

Two Leaves and a Bud Tea Company

On November 29, 2016, the Organization discovered that an unauthorized individual may have accessed the administrative side of its ecommerce website used to process orders. The Organization investigated and found that information from some orders placed on November 28 and 29, 2016, may have been accessed.
P2016-ND-67

Medical Informatics Engineering and NoMoreClipboard (a wholly owned subsidiary)

On May 26, 2015, the Organization discovered suspicious activity in one of its servers. The Organization?s investigation revealed that an unauthorized third party gained access to some individuals? personal information stored on its servers.
P2016-ND-66

Costco US

The Organization?s third party photo services website provider suffered a security compromise on its website. A forensic investigation revealed that malware had been active between June 19, 2014 and July 15, 2015 and only affected the US photo center website. The Organization believes that the information of Canadian individuals who made purchases on the US photo center site may have been accessed by an unauthorized third party during this time. The Organization confirmed that image …
P2016-ND-65

Web.com Group, Inc.

On August 13, 2015, through ongoing security monitoring of its network, the Organization discovered unusual traffic to sensitive computer systems. The Organization determined that a successful attack against its networks may have resulted in unauthorized access to some of its customers’ personal information.
P2016-ND-64

d?TERRA International LLC

A third-party vendor contracted by the Organization to provide data hosting and software services informed the Organization that an unauthorized intruder had accessed some of the third-party?s systems. The intrusion appeared to have resulted in the unauthorized acquisition in March 2016 of personal information of the Organization?s customers. An investigation into the incident revealed that not all the personal information stored on the server in question was encrypted.
P2016-ND-63

Syncrude Canada Ltd.

A service provider to the Organization mailed letters to 1,293 of the Organization?s employees having an active Health Care Reimbursement Account. The letter included a sample form which contained fictitious information regarding benefits claimed for health services, but associated to the names of a real employee of the Organization and his spouse. No real benefit claim information was disclosed.
P2016-ND-62

Crocs Canada Inc.

On March 9, 2016, the Organization?s Payroll Manager discovered that some T4 forms sent to the Organization parent company in the United States were missing. Upon discovering the forms were missing, the Organization launched an investigation.
P2016-ND-61

Patterson Medical Canada, Inc.

The Organization was contacted by police concerning a former employee the police were investigating for identity theft and credit card fraud. The information at issue was found in the possession of the former employee. The Organization confirmed the individual was employed by the Organization between May 25, 2015 and September 4, 2015 and the information at issue was about customers of the Organization. The former employee was charged with thirty-one (31) various crimes related to …
P2016-ND-60

Cowboys Casino

The Organization?s computer systems were compromised by hackers and 6.5 gigabytes of data containing personal information were downloaded. The incident was discovered on May 30, 2016 through an email sent by the hackers. The hackers threatened to release the information on the internet if a ransom payment was not made by the Organization.
P2016-ND-58

FGL Sports Ltd., a wholly owned subsidiary of Canadian Tire Corporation Limited

A laptop computer containing the information at issue was 5tolen from an employee?s vehicle on May 2, 2015. The laptop was password-protected, but neither the file containing personal information nor the laptop was encrypted.
P2016-ND-57

Big Idea Entertainment, LLC

The Organization owns and operates the Veggietales.com website. The website includes an online shopping service. The website uses third party software to support its online shopping service. The Organization was advised by its third party software provider that a vulnerability in the software had been identified. The Organization patched the vulnerability and conducted an investigation to see whether the vulnerability had been exploited prior to the patching. The investigation revealed that an unauthorized and unknown …
P2016-ND-56

Big Fish Games

Malware was installed on the Organization?s online purchasing system. The malware may have intercepted payment details of customers who made payments via the online system. The incident affected customers who made purchases between December 24, 2014 and January 8, 2015.
P2016-ND-55

Mohu, an unincorporated division of Greenwave Scientific, Inc.

The Organization?s computer systems were compromised by a hacker who inserted malicious code and removed data. The Organization?s IT personnel discovered the data breach on July 28, 2015, during a review of the website?s performance.
P2016-ND-54

Sexauer Ltd.

On March 22, 2016, an employee of the Organization received an email that appeared to be from a member of the Organization?s senior leadership team. The email requested copies of all 2015 employee T4 forms. The employee responded to the email, including copies of Canada Revenue Agency 2015 T4 forms. The employee?s response, however, was sent to an unidentified third party.
P2016-ND-53

Boersma Bros LLC, dba DutchWear

An unknown entity installed malicious software on the Orangization’s online purchasing system. The malware intercepted (accessed) personal information of customers who made online purchases between November 7, 2014 and December 6, 2014.
P2016-ND-52

Raintree Financial Solutions

An employee?s email account was breached and a phishing based email was sent to the employee?s contact list, encouraging recipients to enter their email account log in information. A number of recipients immediately contacted the Organization to report the suspicious activity.
P2016-ND-51

Institute of Management Accountants

On June 20, 2016, the Organization was informed that one of its vendors had been the victim of a potential computer intrusion. An unauthorized user gained administrative access to the vendor?s systems on April 23-24, 2016, and issued commands to delete all the data housed on the vendor?s servers. That data may have included the information at issue, which had been collected by the vendor on the Organization?s behalf. There is no evidence indicating that …
P2016-ND-50

PAX Labs, Inc.

On July 15, 2016, the Organization discovered that an unauthorized party had gained acces to one of its cloud-based website servers on June 25, 2016, which was removed that same day. The Organization removed the software on July 15, 2016. Subsequently, an unauthorized party added similar software on July 22, 216, which was removed that same day. The Organization’s investigation revealed that the unauthorized party or parties accessed personal payment card information of approximately 6,000 …
P2016-ND-49

Desjardins Financial Security Life Assurance Company

On March 23, 2015, a rehabilitation specialist with the Organization provided an insured individual with an incorrect fax number. The insured, who is a resident of Alberta, faxed his Employee Statement to this number. The Employee Statement contained the information at issue. The Organization was unable to trace the fax number to determine who received the fax or confirm destruction.
P2016-ND-48

Nite Ize, Inc.

The Organization operates a consumer-facing website, which is hosted and managed by a third party website service provider. On March 11, 2015, the Organization learned from its service provider that it had experienced a cyber-attack and credit card information was compromised for orders processed between March 3 and March 11, 2015. The Organization took immediate steps to remove the malicious code that the hackers had inserted. The Organization’s service provider has been unable to determine …
P2016-ND-47

Eddie Bauer LLC

On July 15, 2016, a forensics firm retained by the Organization identified evidence that malware was present on many of the Organization?s point of sale registers. The Organization believes the malware was installed by an unknown third party between January 2, 2016 and July 17, 2016, enabling unauthorized parties to access names and payment card data. Payment information used on the Organization?s ecommerce website was not affected. On July 18, 2016, the Organization alerted all …
P2016-ND-46

Kohl’s Department Stores Inc.

On August 17, 2015 the Organization discovered a call centre employee in Dallas, Texas was capturing names and debit card information for certain customers for unauthorized purposes. The employee had been capturing customer information between February 17, 2015 and July 24, 2015. The incident was discovered after two customers complained about potentially fraudulent charges on their debit cards which had been used to make payments against their Organization charge account balances.
P2016-ND-45

Canadian Association of Petroleum Producers

On December 24, 2015, a package sent by the Organization?s contracted payroll services provider, containing paper payroll data for the final pay period of the year, was stolen from a courier truck while it was making deliveries. In March 2016, the Organization reported that it had been informed by its payroll service provider that ?the bulk of the materials of concern have been recovered with some pages missing.?
P2016-ND-44

Questfire Energy Corp.

On December 24, 2015, the service provider sent a package of summary reports and employee pay stubs to the Organization by courier. However, the package was stolen from the courier truck as it was making deliveries. The service provider notified the Organization about the incident on December 29, 2015. On or around April 2015, the service provider recovered a portion of the stolen information that had been discarded in a downtown parking lot. Recovered three …
P2016-ND-43

Ikea Canada Ltd.

On May 25, 2015 an unauthorized third party was able to access certain data elements on the Organization?s website via a previously unknown vulnerability. The Organization?s ongoing monitoring activities enabled the prompt identification and detection of the unauthorized activity on the same day (May 25). The Organization immediately commenced an investigation. The vulnerability was temporarily remediated within 2 hours of detection and within 5 hours of detection a permanent code fix was in place.
P2016-ND-42

TransCanada Pipelines Ltd.

On three separate occaisions (November 14, 18 and 21, 2014) an Administrator with the Organization inadvertently sent an email with a link to documents containing some or all of the information at issue to the wrong email address. On the first occasion, the information included name, home address, details of position offered, and starting salary. On the second and third occasions, the information included completed TD1 and TD1A taxation forms, with name, home address, date …
P2016-ND-41

Godiva Chocolatier of Canada Ltd.

A suicase belonging to a human resources employee was stolen on October 16, 2014 from a rental vehicle in Texas. The suitcase contained a laptop which was password protected but not encrypted. An investigation determined the laptop may have contained the information at issue. The Organization has not received any reports of misuse.
P2016-ND-40

Copart Inc.

On March 31, 2015, the Organization discovered that an unauthorized person had gained access to its computer network. The Organization engaged a leading cybersecurity firm to help determine what occurred and assist it in implementing enhanced security measures.
P2016-ND-39

Sun Life Assurance Company of Canada

A briefcase, containing documents with the personal information at issue, was stolen on May 8, 2015 from an employee’s locked truck. The theft was discovered on May 9, 2015.
P2016-ND-38

Bailey’s, Inc.

In January 2016, the Organization learned its online e-commerce website had been hacked and a keystroke recorder installed. After an extensive investigation, the Organization learned the cyber-attack had first occurred in December 2011.
P2016-ND-37

Johnston Ming Manning LLP and Johnston Ming Manning (Innisfail) LLP

On March 22, 2016, a vehicle belonging to an associate of the Organizations was stolen while the keys were in the ignition. A USB memory stick, with the information at issue stored on it, was attached to the keyring. The vehicle was recovered; however, the keys and USB memory stick have not been found.
P2016-ND-36

Matrix Service Company

On February 3, 2016, an employee of the Organization received a phishing email, disguised as an email from the Organization?s CEO. The email requested names, addresses, social security numbers, social insurance numbers, dates of birth, and salary information for all active employees, including those of the Organization?s subsidiary companies. Believing the email to be legitimate, the employee replied to the message on the day the email was received and attached a spreadsheet with the requested …
P2016-ND-35

Canadian Medical Association

An employee received an email request for a list of all Organization members, purportedly from a senior executive in the Organization. The email appeared to have been sent from a legitimate Organization account, but also requested that the information be sent to a Yahoo account that included the executive?s name. The Yahoo account was ?spoofed,? i.e. fraudulent. The employee responded to the request, sending the personal information to both the legitimate Organization email account and …
P2016-ND-34

Landstar System, Inc.

The Organization reported that in two separate incidents, an employee of the Organization received phishing emails. One email appeared to be from the Organization?s Vice President and Chief Financial Officer and a second email appeared to be from the Organization?s President and CEO. The first incident occurred on February 24, 2016, and the second on March 18, 2016. Both emails requested 2015 W-2 forms and T-4 forms for the Organization?s employees. The employee responded to …
P2016-ND-33

Sunrise Medical Canada Inc.

On February 15, 2015, thieves threw a rock through a ground floor window of the Organization’s North American headquarters, located in Fresno California, USA. The thieves stole a laptop belonging to the Human Resources department, which contained the personal information at issue. The thieves fled the scene before law enforcement could arrive in response to the security alarm. The Organization reported the laptop was password protected but not encrypted.
P2016-ND-32

Best Buy Canada Inc.

The Organization launched a consumer panel recruitment survey on January 19, 2015. Due to a flaw in the survey application, when a customer clicked on the URL link to fill out the survey, the customer found the survey was already pre-populated with responses provided by another individual. Customers completing the survey reported the incident to the Organization. Fourteen customers contacted the Organization to report the issue. The Organization reported that the survey was mistakenly launched …
P2016-ND-31

ABS-CBN Canada Remittance Inc.

On October 9, 2014, an authorized agent in Calgary noticed two transactions on its daily transaction list that were not processed by that agent. After reviewing additional transaction lists, the agent identified thirty-three (33) suspected fraudulent transactions. On October 19, 2014, the Organization identified an additional four (4) suspicious transactions that had been entered using a second agent’s credentials. The Organization reported that “fraudsters were able to access the two agents’ sign-on credentials” and as …
P2016-ND-30

VTech Holdings Ltd.

On November 23, 2015, a reporter from the online publication Motherboard (www.motherboard.vice.com) contacted the Organization?s public relations firm in Canada to inform it of a potential breach. On November 24, 2015, the Organization?s Hong Kong internal investigation detected that there had been anomalous activity on its network on or about November 14. This information was forwarded to the Organization?s parent company. On November 26, 2015, the Organization confirmed that there had been a breach of …
P2016-ND-29

LuckyPet, Inc.

On approximately October 12, 2015, an unknown and unauthorized party exploited a vulnerability in the Organization’s third-party shopping cart software used on its website and inserted malicious software that intercepted information provided by customers making purchases. The Organization’s website contractor discovered the malicious code on March 16, 2016.
P2016-ND-28

Crocs Canada Inc.

On April 15, 2015, after a forensic investigation, the Organization learned that individuals may have obtained unauthorized access to information stored on a number of servers. The Organization had initiated the investigation after learning of potential vulnerabilities pursuant to a penetration test. The investigation confirmed that between November 2014 and March 2015, individuals obtained unauthorized access to the Organization?s servers to obtain certain information from the website. The vulnerability allowed SQL injections to retrieve certain …
P2016-ND-27

Enoch Casino Limited Partnership and River Cree Resort Limited Partnership, known as the River Cree Resort and Casino

The Organizations? information technology network experienced a disruption on March 11, 2016. On March 14, 2016, the Organizations received an email from hackers indicating they had compromised the Organizations? computer systems and had stolen personal information. The Organizations were not aware of the privacy breach until they received the email. The Organizations reported that the personal information of current and former employees and customers was stolen by the hackers. The hackers threatened to release the …
P2016-ND-26

BrandAlliance Inc.

On December 11, 2015, the Organization discovered a $5,000 fraudulent transaction and launched an internal investigation. The investigation found that, using the web interface to the Organization?s email system, unauthorized individuals were able to login to a user?s email account. The user had a high level of access to stored credit card data and the wifi password which let the unauthorized individuals connect to the local network. The person of interest who was arrested and …
P2016-ND-25

Sun Life Assurance Company of Canada

One of the Organization’s employees was receiving pop-up messages and virus warnings while she was online. She called the internet service provider number given in the pop-up message, and gave full computer access to an individual purporting to be the ISP account representative. The employee stated that while all of her financial applications and client files were closed, she could not be certain whether or not any information was accessed on her computer. The Organization …
P2016-ND-24

AFAB Metalworks Inc.

An employee working in the Organization?s financial department disclosed the wages of certain employees of the company to other employees, as well as the amount of severance paid to one employee. The employee in question left the Organization shortly after the incident.
P2016-ND-23

Gorman and Koski LLP

A computer hard drive was stolen from a staff member?s home. The hard drive contained back-up data for the Organization?s computer system.
P2016-ND-22

RateMyProfessors.com LLC

Hackers gained unauthorised access to a decommissioned version of the Organization?s website by exploiting a vulnerability in an internet facing application within the site.
P2016-ND-21

Sun Life Assurance Company of Canada

The Organization reported than in two separate incidents, two financial advisors gave remote access to their computers to an unknown party who phoned them posing as IT support staff. As a result, personal information stored locally on the computers may have been exposed to unauthorized individuals. The first incident occurred July 24th, 2014, and the second on August 1st 2014.
P2016-ND-20

Fuel Pro Logistics Ltd.

One of the Organization?s employees resigned and took another employee?s (the affected individual?s) information as she left. The employee who resigned was on bad terms with the affected individual. The information was taken from the affected individual?s personnel file, and related to legal proceedings.
P2016-ND-19

Hersha Hospitality Management LP and the Marriott Courtyard

Hersha manages the Courtyard in San Diego, California. On May 6, 2015, the Courtyard discovered an office used by Courtyard sales associates had been burglarized. Paper files containing guest and employee personal information were stolen. The Courtyard discovered the theft and promptly reported it to the San Diego Police Department. To date, the paper files have not been recovered and there have been no arrests made.
P2016-ND-18

Waste Management of Canada Corporation

On March 29, 2015, an office trailer was broken into. Active employee records were stolen. The incident was discovered when an employee noticed the filing cabinet was open. The employee recalled the cabinet was locked on March 27. The trailer also contained tablets, computers and a flat screen TV; however these items were not taken.
P2016-ND-17

Aegion Corporation

On November 10, 2015 an employee discovered that she was able to access information about herself and other employees through an internal company portal after searching her own name. The portal is only accessible to employees. The information was located in files created in October 2014 as part of a data loading effort when the company migrated systems.
P2016-ND-16

Fendrihan Ltd.

The Organization?s website was the target of a malware attack, resulting in unauthorized access to the personal information of customers of the Organization.
P2016-ND-15

Gyft, Inc.

Beginning on October 3 and continuing through December 18, 2015, an unknown unauthorized party accessed two cloud providers used by the Organization. Using valid credentials, the unknown party was able to view or download customer information stored with these cloud providers and make a file containing some of that user information. The Organization became aware of the incident on December 3, 2015, when it learned that a file available on the Internet appeared to contain …
P2016-ND-14

Trident Limited Partnership

A package containing payroll information was to be delivered by a courier; however a thief broke into the vehicle during transport of the package and stole the package. The package has not been recovered.
P2016-ND-13

Heart and Stroke Foundation of Canada

On September 5, 2014, the Organization discovered that names and email addresses of individuals were inadvertently stored on an unsecure server by the Organization’s service provider. The server was connected to the internet. The Organization reported there was no evidence that the information was accessed by unauthorized individuals.
P2016-ND-12

Function Point Productivity Software

An employee’s email account was accessed by an unauthorized individual between November 4 and 12, 2014, inclusive. The email account contained customers’ completed credit card authorization forms.
P2016-ND-11

Federated Insurance Company of Canada

Calgary office was broken into and among items stolen were personnel files, two business customer files and three laptop computers.
P2016-ND-10

Neuman Thompson

Some time prior to January 16, 2016, an associate lawyer discovered that items had been stolen from two motor vehicles in her personal garage. The first breach involved a hard copy file from a medical clinic relating to a physician. The second breach involved a laptop containing personal information relating to a hearing into a case of alleged sexual assault at an educational institution.
P2016-ND-09

Danone Canada

A database containing personal information of individuals participating in a contest was hacked. The hacker exploited security vulnerabilities on the database system. The incident was discovered on December 8, 2014.
P2016-ND-08

TransCanada Credit Union Ltd.

On February 27, 2015, the personal information of one member of the Credit Union was inadvertently sent to 1126 existing members of the Credit Union via email.
P2016-ND-07

SRI Incorporated

The Organization’s auction website was compromised in December 2014. The Organization was notified of the incident in March 2015 by Google. An unauthorized individual installed a malicious code within the Organization’s auction website or system. The malicious code was used to gain unauthorized access to personal information of customers.
P2016-ND-06

Park ‘N Fly

The Organization’s ecommerce application was compromised between November 27, 2013 and December 24, 2014. At the time of the compromise, the ecommerce application processed customers’ online payments. Personal information of individuals whose payments were processed between November 27, 2013 December 24, 2014 may have been compromised. The incident was discovered in September 2014 and was contained sometime between December 24, 201 and January 13, 2015.
P2016-ND-05

Columbian Mutual Life Insurance Company

An unencrypted flash drive containing personal information of the Organization’s policy holders and their beneficiaries was lost during surface mail transmission. Note: Decision refers to “unauthorized disclosure.”
P2016-ND-04

Lone Star Inc.

On May 19, 2015, the Organizatio used a courier service to send a package containing customer contracts to a financial services company in Ontario. On May 21, the Organization was notified by the courier company that “the package was empty, had been torn.” The records contained in the package have not been recovered.
P2016-ND-03

State Farm Fire and Casualty Company and State Farm Mutual Automobile Insurance Company

An employee of the Organizations accessed and used customers? credit cards to make unauthorized payments of insurance premiums. On July 10, 2013, upon notification of a police investigation of the employee, the Organizations commenced a systems and financial review. The review showed that between December 2010 and October 2013, the credit cards of seven customers were used to pay the employee?s own insurance premiums and those of other customers.
P2016-ND-02

Ivari Canada ULC

Courier advised the Organization that the package had been stolen from the courier vehicle. The forms have not been recovered.
P2016-ND-01

Acosta Canada Corporation

On November 10, 2014, a vehicle belonging to an associate in the Organization?s Human Resources Department was burglarized in the United States. Some personal items and a company laptop were stolen. The associate discovered the theft on November 11, 2014.
P2015-ND-80

U.S. Fund for UNICEF

On or about December 2, 2013, the Organization discovered that an unauthorized individual or individuals gained access to one of its servers. The Organization determined that a portion of the exposed information contained personal information.
P2015-ND-79

Auburn University

One of the Organization?s servers was compromised, resulting in unauthorized access to personal information stored on it.
P2015-ND-78

Servus Credit Union Ltd.

An employee of the Organization was contacted via email by an individual pretending to be a member of the credit union who requested confirmation of his account number and a statement of his account. The information provided was then used to complete a fraudulent wire transfer. The information has not been recovered.
P2015-ND-77

America Online Inc.

In April 2014, after noting an increase in the amount of spam appearing as “spoofed emails” from the Organization’s mail addresses, the Organization discovered that an intruder had accessed certain of its systems illegally. The Organization’s believes its servers were accessed illegally only in the USA and not Canada, and the intruder acquired user information beginning in August 2013.
P2015-ND-76

Lyfe Kitchen Retail (Canada) Trust

On the evening of June 11, 2015 the Organization?s Vancouver office was broken into and a laptop was stolen. The laptop was password protected but not encrypted. The theft was discovered the next morning. The laptop was not recovered.
P2015-ND-75

Association of Professional Engineers and Geoscientists of Alberta

A new staff member with the Organization received a phishing email, disguised as an email from the Organization?s CEO. The email requested members? names and email addresses in Excel format. The staff member responded to the email, including a spreadsheet containing the information at issue.
P2015-ND-74

Loblaw Companies Limited

As a result of an error implementing a system change affecting website performance, user information became available to other users who were logged into the system. Specifically, customers attempting to view their own accounts were inadvertently able to view part or all of another member?s account information.
P2015-ND-73

HollisWealth, a division of Scotia Capital Inc.

The Organization?s office was broken into on April 8, 2014. Several items were stolen, including two laptops, three portable hard drives used for back-up purposes, and several USB memory sticks.
P2015-ND-72

Kiewit Canada Corp.

A payroll employee’s rental car was burglarized in Montreal. A laptop computer was stolen. The laptop contained a spreadsheet of employees’ 2014 T4 information.
P2015-ND-71

Co-operative Superannuation Society Pension Plan

The personal information at issue was exposed to the public internet due to a security malfunction. The incident was discovered on July 20, 2014, by an individual searching his/her own name on Google. The Organization does not know how long the information was exposed.
P2015-ND-70

Homestead Housing Co-operative Ltd.

On January 15, 2015, the Organization received a letter from two members complaining that their personal information, which had been discussed in a confidential, in-camera Board of Directors meeting, was disclosed to an unauthorized recipient (another member). The Organization reviewed the matter and found that a Director disclosed the information in breach of a written Confidentiality Agreement. The Director was removed from the Board.
P2015-ND-69

Affinity Psychology Group Corporation

On June 5, 2014, a psychologist working with the Organization?s clients reported the theft of an external hard drive that contained client assessment reports. The theft occurred between May 29 and May 30, 2014 when the psychologist?s home and garage were burglarized. The hard drive was in a briefcase in the trunk of the psychologist?s vehicle. The hard drive contained a system backup of the psychologist?s laptop. It was not password protected, nor encrypted, but …
P2015-ND-68

La Jolla Sport USA (O’Neill), MM Compound, Inc. (Metal Mulisha) and FMF Apparel, Inc. (FMF)

On December 3, 2014, La Jolla Group, Inc. learned of a potential unauthorized access to the checkout page of the Organizations? websites. La Jolla Group, Inc. conducted an investigation and retained independent computer forensic experts. On December 29, 2014, the investigation confirmed that a malicious script was placed on its system which compromised the security of personal information provided by customers who made purchases between November 30 and December 3, 2014.
P2015-ND-67

Royal Mutual Funds Inc.

During the course of employment with Royal Bank of Canada, an individual accessed client profiles as part of his mandated employment duties, including “[c]lient information [that] may be collected, used and shared by and between Royal Bank” and the Organization. During this legimitate access to client profiles for the period of November 2013 to April 6, 2015, it appears the individual copied some client information. Some of the information was used for unauthorized transactions on …
P2015-ND-66

Umicore Canada Inc.

The Organization decommissioned and disposed of three computer servers. An individual acquired the servers and found that one contained personal information of current and former employees of the Organization. The individual anonymously reported the incident to the Organization on November 7, 2014. An investigation into the incident was conducted. The servers were not recovered by the Organization. The Organization reported that the individual agreed to wipe the servers before reusing them.
P2015-ND-65

Apple Leisure Group (AMResorts)

The Organization received reports from customers about suspicious activities on credit cards used to book reservations through the Organization?s website on May 6, 2014. The Organization investigated and determined that personal information of customers may have been accessed in an unauthorized manner.
P2015-ND-64

Primerica Life Insurance Company of Canada

Due to a logic error, the mailing process used to send 2013 tax receipts for estate accounts resulted in tax receipts that were inadvertently sent to the wrong individuals. Specifically, the tax receipts for the beneficiaries of two estate accounts were generated double-sided and mailed to the primay beneficiaries instead.
P2015-ND-63

Aegon USA

A vehicle belonging to one of the Organization’s agents was broken into. Personal belongings were stolen, including a laptop bag containing a client T2033 transfer form. The incident was discovered on October 7, 2014 when the agent attempted to enter the vehicle. The vehicle had been locked and the laptop bag was not in plain view.
P2015-ND-62

Suncor Energy Inc.

On November 4, 2014, a laptop bag containing a laptop computer, day-timer and two USB sticks were stolen from an HR employee’s vehicle. The laptop computer was password protected and encrypted. The USB sticks were not encrypted.
P2015-ND-61

The Flight Shops Inc.

On October 1, 2014, two bankers boxes containing customer file folders were stolen from the Organization’s Walnut Grove location in Langley, BC. On October 4, 2014, thieves broke into the Organization’s Granville location in Vancouver, BC and stole two bankers boxes containing customer file folders. On October 4, 2014, one bankers box containing customer file folders was stolen from the Organization’s Broadway and MacDonald location in Vancouver, BC. The box was recovered later that day …
P2015-ND-60

Alberta College and Association of Chiropractors

On May 25, 2014, four patient records were photocopied at an office of a chiropractor as part of an investigation by the Organization. On May 26, 2014, the Organization?s investigator noticed the records were missing. The investigator immediately called the chiropractor?s office to ask if the records had been left there. The office could not locate or confirm where the records were but stated the cleaning staff had been in the previous evening.
P2015-ND-59

Grimes Well Servicing Ltd.

An employee of the Organization was the subject of a social engineering attack (phishing). The employee?s email account was compromised. Contact information from the employee?s email account was then used by the attacker to send unsolicited and malicious emails to other employees of the Organization in an attempt to gain access to more information. The incident occurred between August 13 -17, 2015.
P2015-ND-58

Simms Fishing Products, LLC

Malicious software was installed on the Organization’s website to steal personal information from customers who shopped on the website. The incident occurred between September 1, 2014 and November 6, 2014.
P2015-ND-57

Verizon Canada Ltd.

The Organization’s copy of an employee’s Record of Employment (ROE) was accidently discarded by a janitorial service.
P2015-ND-56

eBay Inc.

In early May 2014, the Organization detected a sophisticated cyberattack which compromised a database containing encrypted passwords and other non-financial data. The database was compromised between late February 2014 and early March 2014. The Organization?s systems detected the remote access compromise. The affected database was located in the US.
P2015-ND-55

Carson Integrated Ltd.

On July 5, 2015, an unknown individual entered the Organization?s office and stole a laptop containing Human Resources information. The laptop was password protected but not encrypted.
P2015-ND-54

Marathon Oil Company

The Organization was informed by one of its service providers that information about the Organization?s employees? past travels may have been targeted by external third parties. The service provider?s server that suffered the attack is located in the US. The service provider confirmed no other information about the affected individuals was exposed.
P2015-ND-53

1724543 Alberta Ltd.

On January 22, 2015, a coordinator working for the Organization came out of a meeting and discovered someone had broken into her vehicle. The thief stole a sealed envelope containing employee timesheets and upcoming work schedules.
P2015-ND-52

Dorward and Company LLP

An Income Tax and Benefit Return form containing the information at issue was emailed to an unintended recipient.
P2015-ND-51

City West Childcare and Community Support Society

On April 28, 2015, an employee of the Organization noticed that ?children?s portable records?, which included the information at issue, were missing. The Organization believes the records were lost inside its secured playground area. The records have not been recovered.
P2015-ND-50

OneStopParking

On December 25, 2015, a security blogger alerted the Organization to a potential website compromise. The Organization initiated an internal investigation and found a website vulnerability. The investigation determined that the personal information of customers who used the Organization?s website between August 1, 2014 and December 31, 2014 may have been accessed by an unauthorized individual(s).
P2015-ND-49

Avid Life Media Inc.

On July 12, 2015, an employee at the Organization noticed unusual activity on its information systems. The following day, a threat appeared on customer service representative screens. Hackers threatened to release customer records, as well as employee documents and email communications unless the Organization shut down two of its adult websites, Ashley Madison and Established Men. On July 19, 2015 the Organization confirmed that hackers had obtained personal information from its servers.
P2015-ND-48

Triple Flip Inc.

On October 15, 2014, the Organization?s website suffered a cyberattack. On October 20, 2014, malicious code was installed and infected a server. The code was designed to intercept the transmission of credit card and personal information. On November 10, 2014 a customer reported their new credit card had been compromised. The incident was investigated immediately and the website was shut down.
P2015-ND-47

Talisman Energy Inc.

Employees of the Organization are required to submit information and provide supporting documentation to request reimbursement of employment-related expenses by way of wire transfer to an overseas bank account. Employees scan the information into the Organization?s SAP system as confidential, which restricts access to a limited number of employees with designated access. In July 2013, the Organization?s Privacy Coordinator was notified that the information at issue was scanned into the system without required access controls. …
P2015-ND-46

TD Home and Auto Insurance Company

On January 19, 2015, as part of defending an accident litigation claim, the Organization mailed three claim files to external counsel via Canada Post. While the mail was being processed at the Canada Post facility in Edmonton, the sealed package of documents was damaged and one of the three claim files was misplaced.
P2015-ND-45

Well.ca

The Organization reported that ?one of its third party service providers was illegally compromised between December 22, 2013 and January 7, 2014?. The Organization investigated the incident and found that customer personal and financial information was accessed in an unauthorized manner.
P2015-ND-44

City Plus Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-43

Vision Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-42

Christian Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-41

Wainwright Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-40

Shell Employees? Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-39

Rocky Credit Union

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-38

Vermilion Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-37

Connect First Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-36

TransCanada Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-35

Sun Life Assurance Company of Canada

The Organization reported that a corporate laptop, containing the personal information at issue, was stolen on June 23, 2014 from an employee?s car. The laptop was password protected and encrypted. The encryption key and the previous password were written down and stored with the laptop at the time of the theft. The previous password was a single digit different from the one protecting the laptop, making the new one easy to predict.
P2015-ND-34

Infosat Communications GP Inc.

Between May 2014 and June 5, 2014, an unauthorized individual gained access to the Organization?s database containing personal information. The Organization was notified of the incident by one of its dealers whose customers? information was compromised. The intruder used a developer?s account on a business application (web portal) to access the database. The intruder collected the credit card numbers and card verification codes of three individuals, as well as the Social Insurance Number of one …
P2015-ND-33

Pincher Creek Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-32

Mountain View Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-31

Clarcor Inc.

An employee of the Organization distributed employee benefit information by email to 12 employees in Canada. However, the information of all 12 employees was inadvertently sent to each employee (as opposed to each employee receiving only his or her own information). The information was contained in an Excel spreadsheet in a ?separate tab? that was not immediately visible to an employee unless he or she clicked on the tab. The information was exposed for 3 …
P2015-ND-30

United Farmers of Alberta (UFA) Co-Operative Ltd.

On April 13, 2015 thieves broke into the Organization?s premises and stole the safe and cash register. Index cards, containing customer credit card data and other personal information for 120 accounts, were stored in the stolen safe. The information has not been recovered.
P2015-ND-29

Dalmac Oilfield Services Inc.

In December 2013, an employee of the Organization transferred branches. Payroll then misdirected his next three paystubs to the employee?s former branch. In November 2014, a clerical employee was cleaning an office in the former branch and found three window envelopes. The employee claimed that these were sealed. She placed them in a larger sealed envelope and sent them to the branch manager to be re-directed to the employee. The recipient employee opened the envelope …
P2015-ND-28

Prostate Cancer Canada

On November 24, 2014 a third party hacker accessed a microsite operated by the Organization. The breach was discovered by an Organization member who noticed a graphic and message posted on the site by the hacker. The Organization contacted the hosting vendor and the vulnerability was fixed within five hours. The breach involved the personal information of individuals who had posted pictures on the website.
P2015-ND-27

Wal-Mart Canada Corporation

The personnel files of three assistant managers were lost during an office relocation. The Organization believes it is highly likely that the personnel files were misfiled within the Organization. The files have not been recovered.
P2015-ND-26

Wetaskiwin Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-25

Servus Credit Union

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 9, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-24

River City Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 13, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-23

Lakeland Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-22

1st Choice Savings and Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 9, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-21

Edson Savings and Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 10, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-20

Eckville District Savings & Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 9, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-19

Canada Safeway Limited Employee Savings & Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 10, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-18

Beaumont Credit Union Ltd.

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 11, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-17

Bow Valley Credit Union

Credit Union Central Alberta Ltd. (Alberta Central) is the central banking facility, service bureau and trade association for Alberta’s credit unions. Alberta Central, and its joint venture companies, provide payment and technology services to credit unions, including the Organization. On March 10, 2015, Alberta Central notified the Organization that paper records in its custody, containing personal information of the Organization?s members, had been inadvertently stored in an unlocked basement room between October 2014 and January …
P2015-ND-16

Credit Union Central Alberta Ltd.

During an office renovation, 57 boxes of paper records containing the personal information at issue were stored in an unlocked basement room between October 2014 and January 19, 2015. The incident was discovered during an annual compliance review of the Organization?s controls on January 16, 2015. The organization?s Chief Governance & Compliance Officer was notified of the incident on January 19, 2015. The unlocked room containing the information was accessible to 258 employees of the …
P2015-ND-15

AZGA Service Canada Inc., operating as Allianz Global Assistance

On May 2, 2013 the Organization inadvertently mailed Explanation of Benefit forms, containing the personal information at issue, to the wrong individuals. The error resulted from an incorrect setting on the Organization?s mailing machine which caused unrelated documents to be placed in one envelope. The error was discovered on May 7, 2013.
P2015-ND-14

Coca-Cola Company

On December 10, 2013 the Organization discovered that one of its associates who was suspended pending the outcome of an investigation had stolen eight laptops that contained personal employee information.
P2015-ND-13

Transamerica Life Canada

On May 8, 2014, a courier package containing insurance contracts, applications and medical information was delivered to the wrong recipient. The recipient of the package reported the incident to the Organization on May 26, 2014. The individual declined to disclose the address the package was delivered to. As a result, the Organization was unable to recover the package. The recipient of the package indicated that information will be destroyed by May 30, 2014 if it …
P2015-ND-12

Bell Helicopter Textron Inc.

The Organization learned that a phishing email containing a malicious link was sent to some training program attendees. The email appeared to originate from the Organization. The Organization determined that an unauthorized third party exploited a vulnerability and was able to access training attendees? names and email addresses, stored in a database. The same database also contained credit card numbers.
P2015-ND-11

World Financial Group Insurance Agency of Canada Inc.

Theft of laptop and paper records. On August 17, 2014, in Calgary, Alberta, an authorised agent (contractor) of the Organization had his locked car broken into. A laptop and paper records containing the personal information at issue were taken from the vehicle.
P2015-ND-10

Polaris Industries Inc.

On May 8, 2013, the Organization discovered that applications submitted by individuals to become dealers for the Organization were accessible over the internet. This occurred because the settings in effect did not require login credentials to access applications made. Each application made was therefore accessible over the internet from the date it was submitted by the individual, until May 8, 2013 when the Organization discovered the issue and disabled the entire dealer application site.
P2015-ND-09

Monkey Business Day Homes Inc.

On October 17, 2014, a laptop was stolen from the Organization?s unlocked premises. The laptop was password protected but not encrypted. The laptop contained personal information about children who attend the day home, their parents and staff members.
P2015-ND-08

Outdoor Network LLC.

On July 16, 2013 there was an unauthorized intrusion into the Organization?s websites. A third party installed malware on the Organization?s server, allowing access to the shopping cart portion of the Organization?s website. The breach was discovered on July 16, 2013. It was found that the breach affected purchases from the company between December 2012 and July 2013.
P2015-ND-07

LaCie USA

On March 19, 2014, the Federal Bureau of Investigation (FBI) informed the Organization that sometime between March 27, 2013 and March 10, 2014, an unauthorized individual or group used malware to gain access to information from customer transacations made through the Organization?s website.
P2015-ND-06

Credential Securities Inc.

On August 22, 2014, the Organization was contacted by a client who advised he had received an email from a third party who had purchased filing cabinets from an auction house in Vancouver that contained a file with his information. The Organization contacted the third party, and was told that 40 client files were found in the filing cabinet. The third party had emailed or called all 40 clients to inform them the files had …
P2015-ND-05

Servus Credit Union Ltd.

A Human Resources manager emailed a letter to an employee at the employee?s request. The letter contained the results of an internal investigation of the employee and advised of the decision to terminate the employee. The email was sent to the wrong email address. The email was not encrypted. The Organization became aware of the privacy breach shortly after transmission but efforts to recall the message failed and the Organization was unable to confirm that …
P2015-ND-04

Home Depot

The Organization was notified by its financial partners and law enforcement on September 2, 2014 that its payment data systems were hacked. The Organization confirmed the security incident on September 8, 2014. The Organization reported that the incident occurred between April 2014 and Sept 8, 2014.
P2015-ND-03

1209652 Alberta Limited

Emails containing confidential client and employee information were emailed to two contracted staff?s personal email accounts. This was an unauthorised disclosure not related to the staff?s work related duties and appears to have been intentional. The two staff members are no longer employed by the Organization.
P2015-ND-02

CBV Collection Services Ltd.

Between February 28, 2014 and April 10, 2014, an employee in the Organization?s Ontario office extracted customer data from the computer system. The employee disclosed the information to a former employee who works for an unauthorized and unaffiliated third party debt settlement agency. The incident was discovered by the Organization on April 4, 2014 when a customer contacted the Organization to ask why the customer?s account had been reassigned to another company. Between April 7 …
P2015-ND-01

Mawer Investment Management

Unauthorized intrusion. The Organization?s web server was compromised between September 3, 2014 and September 4, 2014. Unauthorized access to personal information was gained as a result.
P2014-ND-56

Internap Inc.

Sometime between March 4, 2013 and March 9, 2013, an unknown individual(s) gained access to the Organization?s computer systems located in New York, NY USA. The breach was discovered on March 9, 2013, during a routine check of the Organization?s systems by the technology team. Within the database, credit card information was stored in an encrypted format. All other personal information was stored in clear text. The Organization could not confirm if the personal information …
P2014-ND-55

Heyrock Chartered Accountants

Theft of back-up drive. On December 16, 2013, a back-up drive (USB drive) was stolen from the Organization?s office. The USB drive was used to back-up computer data including clients? personal tax returns. The loss was discovered on December 17, 2013, when the RCMP stopped a stolen vehicle and found the USB drive in the vehicle. The device was recovered within 24 hours.
P2014-ND-54

Best Buy Canada Ltd.

On June 26, 2013, the Organization sold a computer with personal information of another customer on its hard drive. Computer was previously demonstration model on sales floor. The customer who purchased the computer returned it to the Organization on July 5, 2013, and that he had copied the date onto a USB flash drive in order to provide it to police. The Organization did a cursory review of the computer?s contents. The Organization investigated and …
P2014-ND-50

Equifax Canada Co.

Unauthorized individual accessed website and used stolen credit cards to purchase credit reports of other individuals. In August, 2013 an unknown party accessed the Organization’s website and purchased copies of credit reports using stolen credit card numbers. The Organization discovered this incident in September 2013 after it was informed that certain credit report inquiries had been purchased with stolen credit cards.
P2014-ND-49

Carber Holdings

On July 30, 2013, two employees discovered five laptops containing the personal information described above were missing from the Organization?s Houston Texas office. Upon further investigation, the Organization determined the office had been broken into. The laptops were password protected but not encrypted. The Organization reported the incident to the Police.
P2014-ND-18

J.M. Smucker

Unauthorized intrusion and malware. The Organization?s online ordering and billing system was compromised by malware. The Organization reported that the system was compromised on December 23, 2012. Personal information in the system was exposed for approximately 14 months (between December 2012 and January 2014). The Organization was made aware of the breach when it was notified by the United States Federal Bureau of Investigation on February 12, 2014.
P2014-ND-17

King Edward Child Care Society

Emergency backpack kit left outside overnight. Non-profit analysis. The Organization?s emergency backpack kit was left outside at a school playground. The loss was discovered the following day when staff members were preparing for a fire drill. A search for the missing backpack was conducted but it was not located.
P2014-ND-16

Blackboard Canada Incorporated

The Organization?s payroll provider printed and emailed T4 summaries to 43 employees of the Organization. The T4 summaries contained two employee records per page. This resulted in 43 employees receiving their own T4 summary information along with a second employee?s information.
P2014-ND-15

TD Wealth Financial Planning

Theft of briefcase. On or about September 15, 2013, a vehicle belonging to one of the Organization?s financial advisors was stolen in Edmonton, Alberta. A briefcase containing the personal information at issue was inside the vehicle at the time of the theft.
P2014-ND-14

PSFL Investments Canada Ltd. (Primerica)

On or around April 12, 2014, one of the Organization?s agents experienced a break-in to his locked car. Some of the agent?s personal belongings and his laptop were stolen from the car. The information at issue was stored on the laptop. The laptop was password protected but not encrypted. The agent discovered the loss of the laptop when he returned to his car.
P2014-ND-13

Emery Jamieson LLP

Payroll register left outside locked cabinet and lost or misplaced. Some time between August 25-28, 2014, the employee payroll register containing detailed employee information was lost or misplaced. The employee payroll register was left outside the locked cabinet where it is stored during the payroll processing period.
P2014-ND-12

Gingerbread Shed Corporation

Malware used to capture and download data stored on server. The Organization was notified of a potential issue by a merchant, who had been contacted by their processor. A forensics firm was hired and conducted an investigation. The investigation determined that an unauthorized intrusion had occurred. The attack was conducted utilizing sophisticated malware enabling the attackers to capture and download data stored on the Organization?s server. The attack occurred between November 25, 2013 and February …
P2014-ND-11

Dejardins Financial Security Life Assurance Company

A break-in occurred at the Organization?s office in Surrey, British Columbia on the weekend of March 23, 2014. One hundred (100) paper files containing personal, financial and medical information were stolen. Two Organization laptop computers were also stolen. The laptops contained insurance illustrations and advisors? notes about client. The laptops were encrypted as was as protected with strong passwords. On August 21, 2014, the Organization notified the OIPC that the RCMP recovered the missing files. …
P2014-ND-10

Auburn University

A spreadsheet containing personal information was inadvertently uploaded to a publicly-accessible Auburn University server.
P2014-ND-09

DealerTrack Canada Inc.

A successful social engineering attack was carried out on October 13, 2013, targeting Toyota City, Wetaskiwin, Alberta. Toyota City uses the DealerTrack application managed by the Organization. An attacker called an employee of Toyota City while impersonating an employee of the Organization. The attacker requested and obtained the Toyota City employee?s authentication credentials (user ID, PIN and security questions) for the DealerTrack application. The compromised account was an administrative (i.e. privileged) account. The attacker used …
P2014-ND-08

EZYield

An online application hosted and operated by the Organization was the subject of a cyber-attack. The attack was discovered on October 24, 2013. The name and credit card information of six (6) Albertans was compromised.
P2014-ND-07

Syncrude Canada Ltd.

On May 2012, the Organization requested the recall of 47 boxes of files from a document storage company (the vendor). In July 2012, 46 boxes were delivered. In the fall of 2013 the missing box came to the notice of the Organization. The missing box contained 10 personnel files. The courier who collected the boxes from the vendor?s storage facility states that, according to the computer records, only 46 boxes were collected. The vendor stated …
P2014-ND-06

Toole, Peet and Co. Limited

An email containing the information at issue was sent to the wrong email account. Instead of the intended recipient, the email was sent to a listserv ? an automatic system that sends messages to a list of individual recipients. The listserv and the intended recipient have similar email account names. The listserv then sent the email in question to 10 unintended recipients.
P2014-ND-05

Home Depot of Canada Inc.

On December 16, 2013 an employee of the Organization notified a supervisor of the potential misuse of personal information by a co-worker. Upon learning of the incident, the Organization investigated and also notified the United States Secret Service. The investigation found that databases containing the information at issue had been accessed by three Human Resources (HR) employees for fraudulent purposes. The three HR employees were arrested on allegations of unlawful use of personal information. The …
P2014-ND-04

Allstate Insurance Company of Canada

Rogue employee. A rogue employee created fictitious policies to boost performance statistics. An employee of the Organization created fictitious policies for the affected individuals in order to influence the employee?s work performance record. There were 11 policies created.
P2014-ND-03

Richmond Child Care Association

The Organization is incorporated under the Alberta Societies Act. On October 24, 2013, an emergency backpack kit containing the information at issue was left outside the Organization?s premises overnight. The backpack was discovered to be missing the following day when staff members were preparing for a fire drill. A search for the backpack was conducted but it has not been recovered.
P2014-ND-02

Canada Safeway Limited Employees Savings and Credit Union Limited

Retirement Income Fund tax information slips were mailed to 102 individuals; 48 were mailed to the wrong addresses. A printing error occurred when the system failed to recognize an outdated file within the catalogue of information to be mailed out. This caused all remaining slips to be sent to an incorrect address. The slips were mailed out on January 15, 2014 and the error was discovered on January 22, 2014. In total, 48 envelopes were …
P2014-ND-01

Transamerica Securities Inc.

Social engineering. An advisor with the Organization received and acted upon email requests, believing they were sent by two clients of the organization. In fact, the email requests had been sent by an unauthorized party who had obtained access to the clients? email accounts. The email requests were about investment redemption. In processing the requests, the advisor disclosed the personal information at issue to the unauthorized party. After processing the email requests the advisor contacted …
P2013-ND-58

C.S.T. Consultants Inc.

A sales representative completed an education savings plan application with two subscribers at their home. The completed application contained a calculation error that needed to be corrected and initialed by the subscribers. The application was to be emailed to the subscribers, but it was emailed to a similar, incorrect email address instead. The application has not been recovered.
P2013-ND-52

BPS Diamond Sports Corporation

Between November 6 and November 8, 2013 an unauthorised third party gained access to certain computer systems located on a server. The access to the systems was gained through hacking. The purpose of the hack is unknown. The server was an asset from a company purchased by the Organization. It was located outside of the Organization?s secure environment, hosted by a third party service provider. Computer systems on the old server included an accounting program …
P2013-ND-48

Mars Canada Inc.

On November 7, 2013, the Organization received a report from an employee that an electronic file containing personal information of 800 employees and their spouses was accessible, on a shared computer drive, to approximately 350 of the Organization?s employees at a facility in Bolton, Ontario.
P2013-ND-47

Mercer (Canada) Limited

The information systems of an organization providing contracted services to the Organization were targeted by a hacker. The personal information at issue was maintained on information systems exposed to the hacker. The intrusion began in June of 2013 and continued until September of 2013.
P2013-ND-45

Pyramid Corporation

On November 22, 2013, the Organization?s human resources officer reported to the Manager of Fleet/Security that an employee, prior to her termination, had forwarded 60 emails (unopened) from her business email account to her personal email account. In addition, personnel files of the terminated employee and her daughter (also an employee of the Organization) were missing. The terminated employee, who worked in the Organization?s payroll department, had authorized access. System audit logs confirmed that the …
P2013-ND-44

Conroy Ross Partners Limited

A laptop containing job applications was stolen from an employee?s vehicle. The laptop was password protected but not encrypted.
P2013-ND-42

Tibo Distribution Inc.

The online sales system used to facilitate transactions on behalf of the Organization was hacked into exposing the above personal information. The Organization was contacted in April and May of 2013 by its credit card merchant and Amex Canada respectively advising that credit card holders that made purchases from one of the Organization?s websites had been compromised. An internal review of the third party?s system used to facilitate sales transactions was conducted and the system …
P2013-ND-41

The Certified General Accountants’ Association of Alberta

On July 30, 2013, the Organization discovered that one of its web servers was sending out mass emails not authorized by the Organization. The server is located in Calgary, Alberta. A vulnerability in software used by the Organization to create marketing websites on the server was exploited. As a result, downloaded malware caused spam email to be sent from the server to email addresses unrelated to the Organization. The compromised web server contained the personal …
P2013-ND-40

Alberta Treasury Branches, carrying on business as ATB Financial

On the night of June 15, 2013 the Organization?s Marwayne Agency located in Marwayne, AB, was broken into and the safe stolen. The safe contained a rolodex and a hard drive which contained unencrypted personal information belonging to 123 individuals. The safe was later found but the rolodex and hard drive were missing.
P2013-ND-39

Allstate Insurance Company of Canada

An employee of the Organization created fictitious policies for the affected individuals in order to influence the employee?s work performance record. There were 45 property policies and 33 auto policies created. All policies were retracted by the employee except for three. These three policies were sent to a collection agency for failure to pay the policy. This was discovered during an internal investigation. The insurance policies were created between 2012 and 2013.
P2013-ND-38

G.P. Performing Arts Guild

The Organization uses a third party service provider web application to facilitate online ticket purchasing, marketing and customer relations. The service provider experienced an unauthorized intrusion into the web application server system on April 25, 2013, that involved the above personal information of Organization patrons.
P2013-ND-37

Panther Sports Medicine & Rehabilitation Centres Inc.

A laptop used by an Organization consultant containing the personal information was stolen from a vehicle in Calgary, Alberta.
P2013-ND-36

Baker Hughes Canada Company

Sometime between 9:00 p.m. on July 15 and 8:00 a.m. on July 16, 2013, a laptop was stolen from a vehicle parked outside a residence of an employee of the Organization located in Calgary, Alberta. The laptop contained the personal information of 60 employees of the Organization.
P2013-ND-35

Morningstar Inc.

On May 21, 2013, a customer contacted the Organization to report that an abnormal file was found on the Morningstar Document Research (MDR) system. The Organization investigated and concluded that someone hacked into the MDR and gained access to personal information about the Organization’s MDR customers. It was determined that the intrusion occurred on or around April 3, 2012.
P2013-ND-34

The Empire Life Insurance Company

In April of 2013, a customer residing in Ontario received another member?s T4RIF tax slip along with their own tax slip. The Organization inadvertently placed two members? tax slips in the same envelope and mailed those tax slips to one of the intended recipients. The member who received another member?s tax slip reported the incident to the Organization. The Organization contacted the member by telephone and the member verbally confirmed that the other member?s tax …
P2013-ND-33

Beachbody, LLC

In March and April of 2013, several customers contacted the Organization to report that they experienced fraudulent charges on credit cards that had been used to make online purchases on the Organization?s website. The Organization hired forensic experts who confirmed that the Organization?s website was hacked and the personal information may have been accessed by the hacker(s). The forensic experts confirmed that credit card numbers and the corresponding expiry dates had been encrypted and were …
P2013-ND-32

The Equitable Life Insurance Company of Canada

On June 4, 2013, a laptop was stolen from the desk of one of the Organization?s employees. The theft occurred in Vancouver, British Columbia. The laptop had been cable locked to the employee?s desk.
P2013-ND-31

LivingSocial Canada Enterprises Inc.

Individuals register on the Organization?s website to receive emails about consumer product, service or event information for a particular geographic location. On April 12, 2013, the Organization became aware that an unauthorized intruder had used compromised credentials to hack into and extract information from the Organization?s servers. The compromised servers contained the above personal information, in addition to other information about terms of agreement, last preferred city, referral source, account information (last update and creation …
P2013-ND-30

H.B. Fuller Company

A laptop computer was stolen while enroute between St. Paul, Minnesota to Vancouver, Washington. It was sent via Fedex. The laptop was shipped on May 16, 2013. The Organization was notified of the theft on May 17, 2013. The hard drive of the laptop contained a spreadsheet with the names, addresses and social insurance numbers of former employees.
P2013-ND-29

Pengrowth Energy Corporation

On April 12, 2013, an employee reported that shares had been sold from his employee share compensation account without his authorization. A third party service provider establishes and administers the Organization?s employee share compensation accounts. Employees access and manage the accounts via an online site provided by the service provider. On April 16, 2013, the service provider discovered that eight other employees had also experienced unauthorized sales of shares from their accounts. The shares were …
P2013-ND-28

Standard Life Assurance Company of Canada

Group plan insurance application forms and related medical documents were lost in transit by a third party mail courier. The forms and related medical documents were sent between the end of November 2012 and early January 2013 from the Organization?s Toronto office to its Montreal office. The forms were confirmed missing January 7, 2013.
P2013-ND-27

Canadian Cancer Society

On May 1, 2013, during the execution of a search warrant, the Calgary Police Service (CPS) discovered documents belonging to the Organization on the floor of a storage locker. The documents contained the personal information described above. The CPS contacted the Organization on May 23, 2013. Two suspects were charged with break and enter and theft in connection with other property found in the storage locker. The Organization does not know how the suspects came …
P2013-ND-26

Robertson Bright Inc.

On February 15, 2013, an employee reported the T4 information of another employee had been printed on his or her T4 form. The Organization investigated and discovered that the T4 information for 36 employees was printed in error on the T4 forms of 36 fellow employees.
P2013-ND-25

Investment Industry Regulatory Organization of Canada

In February 2013, an Organization examiner accidently lost a portable device containing the personal information. The personal information was collected for the purpose of compliance examinations.
P2013-ND-24

Vancouver Island Insurance Centres Inc. operating as H & D Insurance Brokers

A USB drive containing the personal information was mailed in an envelope from London, England, on January 17, 2013, to the Organization?s office in Nanaimo, British Columbia. The Organization received the envelope on January 21, 2013. The USB drive was missing. There was a hole in the envelope.
P2013-ND-23

Hershey Canada Inc.

The youth track and field event manager website is used to coordinate Organization sponsored events across Canada and the United States. The Organization website is hosted on a third party server. An unauthorized individual(s) accessed the third party server and deployed a malicious script. As a result of the malicious script, a website stored on the same server as the Organization website was defaced with a political statement on January 17, 2013. When the third …
P2013-ND-22

Dealer Track Canada, Inc.

The Organization operates a computer system used by auto dealers to communicate electronically with potential lenders and insurers. On April 5, 2013, a fraudulent caller claiming to represent the Organization?s technical support contacted two employees of an auto dealer and convinced them to provide their login credentials. Using these credentials, an intruder logged into the Organization?s system and attempted to access credit bureau reports for auto dealer customers. The attacker was able to view and …
P2013-ND-21

Invis Inc.

On April 10, 2013, a vehicle belonging to an employee of the Organization (the Mortgage Broker) was broken into while it was parked at a restaurant in Edmonton, Alberta. The Mortgage Broker?s laptop was stolen from the vehicle. The laptop contained client files for 108 clients.
P2013-ND-20

Brenda Strafford Foundation Ltd.

On February 20, 2013, the Organization prepared and mailed T4 slips for its employees. On February 28, 2013, an employee contacted the Organization to report receiving two T4 slips instead of one. The second T4 slip was for another individual. The incident was the result of human error. Two T4 slips instead of one were accidentally inserted into 150 envelopes. The result was 150 employees (the Recipients) received their own and another employee?s T4 slip.
P2013-ND-19

PFSL Investments Canada Ltd.

On January 21, 2013, an agent for the Organization (the Agent) had a bag containing the Client Information stolen out of her rental vehicle in Costa Rica. The Client Information has not been recovered. The Organization issued new account numbers for Clients A, B, and C.
P2013-ND-18

Sculptz, Inc. operating as Enchantress Hosiery of Canada

On March 11, 2013, the Organization discovered during a scheduled security review that the Organization?s website had been hacked. The website server log showed access by an unauthorized individual(s) on March 5, and 9, 2013, to the personal information at issue.
P2013-ND-17

TD Financing Services Inc.

On January 25, 2013, the police advised the Organization a person had been apprehended with photos of full and partial Applications on his or her cell phone. The Applications were dated from 2011. The Applications appeared to have originated from a hot tub vendor who is a dealer for the Organization. The Organization offers financing for customers of the vendor.
P2013-ND-16

Valpak of Canada Limited

On November 14, 2012, a United States Postal Inspection Service investigator contacted the Organization and informed it that an individual who had been temporarily employed by the Organization (Temporary Employee) had been indicted and charged with mail fraud. The Temporary Employee was employed by the Organization between June and September 2011. When the Temporary Employee was arrested, the file with the personal information at issue was in his possession. The Temporary Employee allegedly opened post …
P2013-ND-15

Billabong International Limited

On October 23, 2012, the Organization learned an online technology blog was reporting that a hacking group claimed to have attacked one of the Organization?s databases. The blog post reproduced Twitter posts made by the hacking group. The Twitter posts stated that the Organization?s databases had been ?attacked & hacked? and included a hyperlink to a website where users post computer-related code. A post by the hacking group on this website claimed to have accessed …
P2013-ND-14

Crafts Americana Group, Inc.

On January 25, 2013, a payment processor notified the Organization about a number of unauthorized transactions involving Organization customers. The Organization investigated and discovered an unauthorized file on one of its servers. The file contained the personal information of customers who had purchased merchandise through 3 of the Organization?s websites. Credit card numbers in the file were matched to unauthorized transactions reported to the Organization. The Organization determined that an unauthorized individual(s) exploited a software …
P2013-ND-13

Servus Credit Union Ltd.

An employee at the Organization sent the member?s personal information contained in a tax free savings account (TFSA) document to the wrong email address. The Organization does not know the individual to whom the TFSA was sent. The Organization has been unable to reach the individual who received the email in error.
P2013-ND-12

Leading Edge Physiotherapy

On February 3, 2013, the Organization?s office was broken into. An unencrypted external hard drive containing patient files, as well as some money, was stolen from a locked safe. The unencrypted hard drive held backup copies of 2049 patient files.
P2013-ND-11

Blizzard Entertainment Inc.

Between December 18, 2012, and January 25, 2013, my Office requested the Organization provide additional information. The additional information was provided by the Organization between January 9 and March 15, 2013. The Organization operates a gaming website. In order to play the games offered on the website, individuals are required to provide information. On August 4, 2012, the Organization determined that an external person(s) gained unauthorized access to its internal network servers. These servers contained …
P2013-ND-10

Sun Life Assurance Company of Canada

On January 17, 2013, the Organization mailed the Statements to its members. The Organization determined there was an error in the mail production file. This caused the incorrect printing of addresses on 19 envelopes. Six of the 19 envelopes were delivered to the proper member. Two of the 19 envelopes were returned to the Organization. Eleven of the 19 envelopes were not delivered to the addressee or returned to the Organization. These envelopes have not …
P2013-ND-08

Dominion of Canada General Insurance Company

On October 18, 2012, four human resources employees discovered they had access to employee folders on the internal network drive that they previously did not have access to. The Organization determined an error occurred during a network migration resulting in all authorized users of the Organization?s internal network having access to the folders. There are 1,547 authorized users of the internal network, including employees, consultants, and contractors. Access controls for the folders were restored on …
P2013-ND-07

Teamsters Local Union 987 of Alberta

A former employee of the Organization is alleged to have distributed the personal information of the Affected Individuals to 20 fellow employees and others known to the Organization (the ?Recipients?). The personal information was contained in a document (the ?Document?). The Document was left at the residence of each Recipient.
P2013-ND-06

Boehringer-Ingelheim (Canada) Ltd.

On October 17, 2012, a service provider sent an email to 182 individuals (the ?Recipients?). 172 of the Recipients were employees of the Organization. Inadvertently attached to the email was a spreadsheet containing the personal information.
P2013-ND-05

TD Waterhouse Canada Inc.

On November 16, 2012, a mail courier was the victim of an armed robbery outside of one of the Organization?s branches located in Calgary. The courier?s mail bag was stolen. ? An envelope containing the share certificate was in the mail bag. ? The Organization reported the theft to the Calgary Police Service. ? The mail bag was not recovered.
P2013-ND-03

Hinton Wood Products, a division of West Fraser Mills Ltd.

On November 23, 2012, the Organization was notified by an employee that he had been contacted by an unidentified coworker who had commented on the employee?s earnings. The Organization investigated the matter and determined the following: – The personal information at issue was inadvertently stored on a network drive accessible to 435 employees in British Columbia and Alberta. The personal information may have been accessible on the drive since 2007. – Between April and November …
P2013-ND-02

Costco Wholesale Canada Ltd.

On December 7, 2012, American Express notified the Organization that card skimming activity occurred at 1 or more of the Organization?s locations in Calgary, Okotoks, and Rocky View. Further, American Express advised the Organization that approximately 22 credit cards were duplicated and used in a fraudulent manner as a result of the skimming that occurred. As part of the Organization?s internal investigation, video surveillance tapes were reviewed and the Organization confirmed that skimming devices were …
P2013-ND-01

ATB Financial

On November 5, 2012, a vehicle belonging to an ATB Securities Associate (?the Associate?) was broken into while it was parked in the Organization?s parking lot for the period of 1 hour that evening. The Associate left a briefcase containing the personal information belonging to 2 individuals (?the Affected Individuals?) as well as numerous personal effects in his or her vehicle. The Organization reported the theft to the Calgary Police Service. The briefcase was returned …
P2012-ND-34

ConocoPhillips Canada (North) Limited

On October 17, 2012, an employee of the Organization had his or her house broken into. A workbag was stolen from the employee?s house along with electronic items, a purse, wallet and several other small items of personal property. The documents containing the information described above were in the workbag when it was stolen.
P2012-ND-32

Sun Life Assurance Company of Canada

On October 9, 2012, a benefit consultant notified the Organization that the Forms mailed by the Organization on September 12, 2012, had not been received. The Organization and benefit consultant did a search for the Forms in their respective offices and did not find them. The matter was reported to Canada Post on October 22, 2012. Canada Post confirmed the package containing the Forms did not appear in the undelivered database.
P2012-ND-31

Eharmony

On September 5, 2012, the Organization was notified by U.S. federal law enforcement that a breach (?the Incident?) was discovered in connection with an undercover operation they were conducting. The Organization determined that records of 529,411 users were hacked. Of those records, 5,245 records belonged to Alberta residents (the ?Affected Individuals?). The hack occurred as a result of an unknown software program, which extracted the personal information between May and June, 2010.
P2012-ND-30

Billabong International Limited

The Organization was notified on July 13, 2012, that the Organization?s website had been hacked by an unauthorized individual. The hack occurred on July 11, 2012. The Database File contained information collected between 2006 and August 2011. It was not linked to other Organization systems or databases. The Organization was informed the hacker posted approximately half of the data entries from the Database File on a website that provides computer programmers with a platform to …
P2012-ND-29

BP Canada Energy Group ULC

On July 23, 2012, an employee of a subsidiary of the Organization discovered a laptop was stolen from their residence in Malaysia. The subsidiary employee used the laptop in connection with a project involving the transfer of data from the Organization?s human resource management system to a new payroll system (the ?Project?). The laptop was password protected. It was not encrypted. The laptop has not been recovered.
P2012-ND-28

Enmax Corporation

A service provider retained by the Organization to perform pension administration services (the ?Service Provider?) was involved in the incident. The Service Provider notified the Organization that it mailed the Retiree?s Statement to another individual in error. The error occurred with respect to the Statement mailed on February 24, 2012. The Service Provider cannot accurately identify the individual who may have received the Retiree?s Statement. The Service Provider has been unable to recover the Statement. …
P2012-ND-27

Uniglobe Geo Travel Inc.

Between July 16, 2012, and July 23, 2012, an unauthorized person obtained an employee?s login credentials by intercepting email sent on a wireless network. As a result, the unauthorized person gained access to the Database. The Organization is unable to identify which customers may have had their credit card number compromised.
P2012-ND-26

Technip Canada Limited

On July 26, 2012, the Organization discovered the Organization?s personnel files were missing from a locked file cabinet. The personnel files were located in a locked file cabinet in an office in the Organization?s premises located in a secured building. The building and the Organization?s office are accessible by an authorized I-disk key provided to authorized employees and contractors. The Organization believes the incident occurred sometime between the end of office hours on July 25, …
P2012-ND-25

OANDA (Canada) Corporation ULC

The Organization provides an online foreign currency trading platform service to account holders. The Organization investigated a report by an account holder on July 17, 2012, of unusual activity in his or her account. The Organization discovered a head office employee?s computer was hacked between July 14, 2012, and July 17, 2012. Audit records show that the hacker gained access to the customer database and viewed the Affected Individual?s Account Information. The incident was reported …
P2012-ND-24

Oil City Hospitality Inc.

the Organization?s head office in Edmonton, Alberta, was broken into sometime during the weekend of June 23, 2012. On June 25, 2012, the Office Manager discovered that a memory stick was missing from her desk. The memory stick appeared to be the only item stolen. The memory stick contained the Payroll Information for a three-year period. The memory stick was the backup to information on the Office Manger?s hard drive.
P2012-ND-23

1st Choice Savings and Credit Union Ltd.

The Organization printed the TFSA statements at the end of June, 2012, and mailed them the week of July 2, 2012. On July 9, 2012, a member of the Organization reported to the Organization that he or she received another member?s TFSA statement printed on the back of his or her TFSA statement. A printing error caused by human error resulted in one page of a member?s statement appearing on the back of another member?s …
P2012-ND-22

Equitable Trust Company

A GIC application of an Ontario client was retrieved from a garbage station in Toronto. Following this incident, the Organization conducted an investigation and discovered that an Organization employee may have disposed of other GIC applications in this manner. The Affected Individuals? Applications were not filed during the week of June 11, 2012. The Organization believes the Applications were also inappropriately disposed of by an Organization employee in residential garbage sometime between May 16, 2012, …
P2012-ND-21

College of Registered Dental Hygienists of Alberta

The Organization contracts with an Accounting Firm (?AF?) for the provision of accounting services. The AF prepared a T4 summary on the Organization?s behalf. The T4 summary was placed into an envelope and mailed by the AF to the Canada Revenue Agency (?CRA?) on January 27, 2012. On May 30, 2012, the CRA contacted the Organization and said that the CRA had not received the Organization?s T4 summary. The Receptionist confirmed that the envelope was …
P2012-ND-19

Tauck, Inc.

April 15, 2012 – Theft of briefcase containing laptop and guest information forms. The forms were pre-populated with information collected in Airdrie, and then completed by guests while on tour in London, England. The forms were in a briefcase, which was stolen in Paris, France. On May 21, 2012, the Organization sent a letter notifying the Affected Individuals about the incident.
P2012-ND-18

Combined Insurance Company of America

A sales representative visited the homes of the Affected Individuals between October 31, 2011, and November 4, 2011, to renew policies and collect the Payments. Around November 14, 2011, the sales representative believes a sealed envelope containing the Payments was lost while transporting it to her vehicle. The incident was reported to her manager. The police were also notified. During the week of November 14, 2011, the sales representative attended on the homes of the …
P2012-ND-17

Loblaw Companies Limited

On March 15, 2012, the police contacted the Subsidiary. The police had received information that sometime around March 11, 2012, a former employee of the Subsidiary (the ?Former Employee?) allegedly offered personal information of the Subsidiary?s colleagues to a third person during a criminal transaction. Allegedly, the third party intended to use the personal information for identity theft.
P2012-ND-16

Indie Research, LLC

Between April 3, 2012, and April 7, 2012, the personal information on the Organization?s server was hacked into providing access to unauthorized third parties. The incident was discovered by the Organization on April 11, 2012.
P2012-ND-15

Meglobal Canada Inc.

Pursuant to a services agreement, Dow Chemical Canada ULC (?Dow?) provides payroll processing services, including preparation of T4 and T4A tax information forms to the Organization. On February 27, 2012, the Organization mailed approximately 224 T4 slips to its employees in Alberta. The incident was reported to the Organization in reports made by the Organization?s employees when they received unsealed envelopes in the mail. When the Organization was notified by the employees of the incident, …
P2012-ND-14

Dow Chemical Canada ULC

On February 27, 2012, the Organization mailed approximately 738 T4 slips to its employees in Alberta. The Organization received reports from employees that they received unsealed envelopes in the mail.
P2012-ND-13

Gullivan and Associates Student Networks Inc.

A Gallivan staff member went to use a portable memory device (flash drive) and could not locate it. After an extensive search, she reported it missing. It is unknown if it was stolen or lost inadvertently.
P2012-ND-12

State Farm Mutual Automobile Insurance Company

A service provider retained by the Organization to perform pension administration services (the ?Service Provider?) was involved in the incident. The Service Provider notified the Organization that it mailed the Retiree?s Statement to another individual in error. The error occurred with respect to the Statement mailed on February 24, 2012. The Service Provider cannot accurately identify the individual who may have received the Retiree?s Statement. The Service Provider has been unable to recover the Statement.
P2012-ND-11

Sun Life Assurance Company of Canada

The Organization has a website where plan members can access their claim information. A system error occurred enabling some plan members the ability to access claim information of other plan members, including the Alberta Claimants and the Family Members.
P2012-ND-10

Law Society of Alberta

An employee with the Organization (the ?Employee?) inadvertently forwarded an email with an attached document (the ?Document?) containing the personal information of 104 individuals, to 28 individuals in the Organization (the ?Recipients?). One of the Recipients brought the error to the Employee?s attention the day after the email was sent.
P2012-ND-09

Brick Warehouse LP

The Organization held an online contest across Canada. The contest ran between October 11 and November 3, 2011. Contestants provided personal information in order to be eligible to win a prize as part of the contest. The personal information was stored in a database hosted by a third party service provider contracted by the Organization to forward coupons associated with the contest. On November 17, 2011, employees at the Organization who had set up email …
P2012-ND-08

Chivers Carpenter Lawyers

On February 20, 2012, a lawyer who was an employee of the Organization had her vehicle broken into. In her vehicle were Briefcase 1 and Briefcase 2. Briefcase 1 was stolen from the vehicle. It was not recovered.
P2012-ND-07

Ceda International Corporation

Following a breach of personal information involving unauthorized access to personal information located on its internal ?L? drive, which was reported to my Office on May 10, 2011 , the Organization undertook a review of the contents of its ?L? drive. During this review, the Organization found documents containing the personal information at issue. Access to the ?L? drive was shut down on April 6, 2011, and all the personal information immediately removed.
P2012-ND-06

Empire Life Insurance Company of Canada

T4As1 and Relev? 1s (tax reporting statements for Quebec residents) were mailed from the Organization?s head office in Kingston, Ontario to 14,363 contracted advisors (?advisors?) of the Organization during the week of February 6 – 9, 2012. The Organization advised that due to human error the Organization?s copies of T4As were printed two to a page and Relev? 1s were printed 3 to a page and mailed to the advisor whose name appeared on the …
P2012-ND-05

Manulife Financial

On January 27, 2012, the Service Provider mailed T4As to plan sponsors and plan members. On February 1, 2012, the Organization was contacted by two individuals who reported receiving another individual?s T4A in the envelope containing their own T4A(s). On February 3, 2012, the Service Provider reported to the Organization that it had identified an error in a computer program, a ?logic error? in the handling of the T4A ?house-holding process?. Where a member or …
P2012-ND-04

Trion Worlds Inc.

A database breach occurred September 7, 2011 and continued to September 13, 2011. The breach was discovered conclusively on December 7, 2011 after learning that the account of a Trion employee had been compromised. An investigation was launched regarding the scope of the intrusion at that time.
P2012-ND-03

J. Darcy Walls Professional Corporation

On February 6, 2012, the President of the Organization reported that his rental unit was burglarized in Cathedral City, California. The thief stole an assortment of goods, including an Ipod and Ipod player, two briefcases, jewellery, spare keys to the President?s minivan and rental unit, a camera case and telephoto lens. Among the goods stolen from the rental unit was the President?s laptop, and hard disk backup that he used to provide his clients with …
P2012-ND-02

Dealer Track Canada, Inc.

In violation of its agreement with the organization, a user of the Organization internet site at an automotive dealership (located in Edmonton, Alberta) provided answers to their password recovery information. This allowed an individual posing as an organization employee to fraudulently gain access and reset the dealership user?s organization login password. Subsequently, the credentials were then used to view one consumer file on the organization internet site. The incident occurred on September 11, 2011, and …
P2012-ND-01

Servus Credit Union

On January 5, 2012, an Organization employee (?the Employee?) took work home at the end of the day. The Employee left a bag, containing a work issued laptop and paper documents containing the personal information of five (5) Organization members (customers) and one (1) Organization employee (?the Affected Employee?) in her car parked outside her residence in Edmonton, Alberta. When she went to retrieve her bag the next day, it had been stolen.
P2011-ND-043

Aaron’s Inc.

On September 26, 2011, an Organization?s franchisee store was burglarized in Freso, California. The thieves stole an assortment of goods, including TV?s, computers, and electronic gaming devices. Among the goods stolen from the store was a computer that was used in the store?s day?to-day operations. It was determined that this stolen computer contained a file with the personal information of customers who owed payments outstanding to the Organization. There were a total of 695 affected …
P2011-ND-042

Personality Profile Solutions Inc.

On September 14, 2011, the Organization discovered that unknown person(s) illegally accessed the system of the outside vendor that hosts their website: DISCProfile.com. It was found that credit card transactions processed between May 8, 2011 and September 14, 2011 were subject to illegal interception. In early September, 2011 (prior to September 14) three customers outside of Canada notified the Organization about fraudulent credit card transactions. After receiving these customer notifications, the Organization immediately engaged their …
P2011-ND-041

Travers Food Service Ltd.

In January 2011, the Organization installed a Point of Sale (POS) terminal in the cafeteria for credit card transactions and a second POS terminal was installed in March 2011. As a result of the remote location, the Organization does not have its own external networking infrastructure, but uses its client?s network at this particular remote site. On July 20, 2011, a security scan of the external facing network discovered that network share folders on the …
P2011-ND-040

Sun Life Assurance Company of Canada

On November 8, 2011, an Organization Advisor (the ?Advisor?) reported the theft of her briefcase which contained her laptop and documents belonging to a client. The briefcase was stolen from the Advisor?s locked car from a parking lot in Edmonton, Alberta while the Advisor attended a meeting.
P2011-ND-039

Zellers Drug Stores (ALTA) Limited

In the early morning of November 21, 2011, it was discovered that a locked safe within an Organization pharmacy in Edmonton, Alberta was stolen. The safe contained, among other things, narcotics and a notebook with personal information of nine Organization pharmacy customers.
P2011-ND-038

Teck Coal Limited

On July 7, 2011 annual pension statements for some Organization employees were mailed to the wrong Pension Plan Members. The breach was the result of an incorrect data sort on an excel file which caused members? names to line-up with incorrect addresses. The incident was discovered on July 13, 2011 when an Organization employee gave his foreman an unopened Annual Pension Statement envelope. The foreman subsequently provided the envelope to an individual in employee relations …
P2011-ND-037

Sun Life Assurance Company of Canada

On June 17, 2011, an applicant for term life insurance with the Organization provided health information on a paramedical form. The health information was collected by a service provider for the Organization. The health professional usually sends completed paramedical forms to the service provider?s office through Canada Post, but because there was a postal strike at that time, the service provider had instructed its health professionals to use couriers. The health professional put the applicant?s …
P2011-ND-036

GICdirect.com Financial Services Ltd.

Since June 2011, GIC has been upgrading its client management computer system. Despite its policies and safeguarding measures, on September 24, 2011, a long-term and valued employee saved client personal information onto a USB memory stick to do some work outside of the office. The data on the memory stick was not encrypted. The employee intended to assist the organization through working from home. Unfortunately, sometime between September 24 and 25, 2011, the employee lost …
P2011-ND-034(1)

Delta Hotels and Resorts

P2011-ND-034

Delta Hotels and Resorts

On July 11, 2011, Delta was contacted by an ?ethical hacker? and advised he or she had accessed a web-facing server containing information on its legacy loyalty program. Delta confirmed that a web-server hosting 18 databases had been accessed by an unauthorized individual sometime between June 28, 2011 and July 11, 2011. The information on the server relates to a variety of sales, loyalty and marketing programs; as well as contained personal information.
P2011-ND-033(1)

Assante Wealth Management

Sometime before July 21, 2011, the Organization sent five work permits via courier from Calgary, Alberta to five clients in St. John?s Newfoundland. On July 31, 2011, the five clients contacted the courier company to ask when delivery of the couriered work permits would arrive. The courier company noted that the work permits were delivered on July 21, 2011. The courier company said that no one was at the residence to accept the package, so …
P2011-ND-033

VRV Global Ltd.

Between May 19, 2011 and July 18, 2011, suspicious account activity was noted for client accounts serviced by the Hein Financial Group. The Organization investigated and found that some clients personal information was accessed on an unauthorized basis between March 14, 2011 and July 11, 2011. It is believed that the unauthorized party gained access to some accounts by using the password of an employee to access an online database. In some cases, the unauthorized …
P2011-ND-032

Society of Manufacturing Engineers

On August 10, 2011 an external hacker gained unauthorized access to the Organization’s computer resources. The incident occurred and was discovered on the same day during routine security monitoring.
P2011-ND-030

Devonian Properties Inc.

On August 9, 2011, the Organization discovered there had been unauthorized access to its servers. An unknown intruder had created several user profiles with administrative rights on both servers. The incident was discovered by an authorized user who noticed that when logging onto DPI?s server for an update, the internet browser was open to an unfamiliar site with Korean writing. DPI determined that a program had been downloaded to the server at a time when …
P2011-ND-029

Liquor Stores Limited Partnership

The Organization entered into an agreement with an IT service provider to transfer information from a subsidiary organization?s Alaskan database into its main database. The service provider entered into a subcontract with another IT service provider, Microsoft Business Solutions (?Microsoft?), to assist with the database transfer. According to Microsoft, several hard drives, including a hard drive containing information from the Alaskan database, were reported missing from the work area in its secured facility in Fargo, …
P2011-ND-028

Britec Computer Systems Limited

The Organization’s Calgary office was broken into on July 27, 2011. An unencrypted external hard drive, unencrypted flash drive and 3 password protected laptops were stolen. The incident was discovered when staff came to work the morning of July 27, 2011.
P2011-ND-027

Transamerica Life Canada

On May 24, 2011, the Organization processed a request for a partial withdrawal of funds for the sum of $75,000 from a policy held jointly by two Alberta residents. The funds were wire transferred to a bank account in their names pursuant to the request. As a result of suspicion raised by the bank on May 27, 2011, the Organization contacted the policyholders and the policyholders confirmed that they did not request the withdrawal.
P2011-ND-026

Canadian Standards Association

On March 16, 2011, the Organization discovered a new generation Qakbot virus on its network. The virus accessed information that the employees themselves had entered when they used their work computers to access the internet, including if they accessed the computer for personal reasons. The virus also captured live key stroke data entered during the time the virus was active. The Organization’s forensic investigation determined the virus focused on capturing and transmitting personal account information …
P2011-ND-025

DWM Securities Inc.

On June 15, 2011, in Langley, British Columbia, a car belonging to the administrative assistant of two of the Organization’s Advisors was broken into, and items in the car were stolen, including an external hard drive. The external hard drive contained an unencrypted backup of the Advisors? internal network, including client files.
P2011-ND-024

Best Buy Canada Ltd.

A customer attended at the Organization on May 9, 2011 to pick up his computer but was inadvertently given another customer’s computer. The incident was discovered on May 11, 2011 when the owner of the computer came to pick up his computer. the computer was returned to the Organization on May 12, 2011. The unauthorized recipient of the computer confirmed in writing that he had not copied, retained, or distributed the information on the computer.
P2011-ND-023

Lifescan Canada ltd.

Between October 20 and November 10, 2010, the Organization ran a contest. Entrants provided personal information. On May 10, 2011, the Organization eceived an email from an individual reporting that their personal information was visible on the public webpage. The contest website was removed on May 11, 2011. The Organization’s investigation found that personal information of entrants was stored on web pages that were not intended to be accessible by the public. The information had …
P2011-ND-022

Empire Life Insurance Company

On May 3, 2011, a one term insurance policy file was sent via courier to the wrong address. The breach was caused by selecting the incorrect receiver from the FedEx Shipping system. The incident was discovered on June 6, 2011 when the recipient who had received the file in error contacted the Organization to report the error. The file was sent to the recipient?s address, but was not addressed to the recipient. The recipient opened …
P2011-ND-021

T & T Supermarket Inc.

On June 14, 2011, the Organization determined there had been unauthorized access through its website to databases on a server located in Vancouver, B.C. A high number of fields were modified, and the modified information contained a redirect link to an external web page that possibly contained malware which activated the download of additional software from visitors? computers in an attempt to gather personal information. The unauthorized access occurred between June 6, 11 and 14, …
P2011-ND-020

Honda Canada Inc. and Honda Canada Finance Inc.

In 2009, the Organization sent letters inviting its customers to register in a web portal which would allow online access to various vehicle information. The invitation letters included a Personalized URL, or ?PURL?. The PURL registration pre-filled certain customer information. On March 2, 2011, the Organization noted an activity report showed an unusual volume of requests from a single IP address (the ?Anomaly IP?) between February 12 ? 23, 2011. On investigation, the Organization discovered …
P2011-ND-019

Adrenalin Audio Inc.

In March 2011, the Organization moved its store location. Sometime between April 1 -15, 2011, credit applications were thrown in the dumpster behind the new store location. The Organization states they were slated for shredding, but were inadvertently thrown out.
P2011-ND-018

Sony Online Entertainment LLC

On May 1, 2011 the Organization discovered evidence that between April 16 – 17, 2011 customer data may have been taken by an attacker during an unauthorized and illegal attack on its network. The intruder issued a query that was designed to query specific data fields for each of the Organization’s network?s approximately 24.6 million registered user accounts containing any customer information.
P2011-ND-017

Sony Network Entertainment America Inc.

On April 19, 2011, the Organization discovered unplanned and unusual activity taking place on the network. The Organization investigated and found that an intruder issued a query that was designed to return information from specific data fields for each of approximately 77 million registered user accounts.
P2011-ND-016

Ceda International Corporation

On April 6, 2011, an employee of the Organization opened a subfolder on an internal pubilc drive, and found a spreadsheet containing the information at issue for 240 current and former employees. The employee reported the incident to his superviso and the information was removed from the system April 6, 2011. The spreadsheet was on the internal public drive for 15 months.
P2011-ND-015

Suncor Energy Inc.

During the week of April 15-21, 2011, revised income tax reporting statements, T4 and Relev? (tax reporting statements for Quebec residents) were mailed from the Organization’s head office in Calgary to 116 employees in Montreal. On April 20, 2011, an employee contacted the Organization and advised that they had received someone else?s tax statements. As of May 16, 2011, a total of three employees had reported receiving tax statements in error.
P2011-ND-014

Lexand Electric Inc.

On April 10, 2011, the Organization’s President discovered that his vehicle had been burglarized and several items stolen, including an external hard drive containing the personal information of current and former employees as well as new home owners. Also stolen was a brief case containing a list of empoyee user IDs and passwords.The external hard drive was not encrypted nor was it password protected.
P2011-ND-013

H & R Block

On March 22, 2011, a set of client letters were mailed to 58 clients who had had a change of address in the past year. On March 30, 2011, a software issue that lead to the breach was discovered. The breach was a mailing of CRA letters to the correct name, but incorrect address.
P2011-ND-012

AIR MILES Reward Program

The Organization uses a US-based, third-party marketing organization, Epsilon, to send email notifications and to manage the Organization’s rewards program. On April 3, 2011, the Organization was notified by Epsilon that it had experienced a massive data breach and that the Organization’s customers were among the affected individuals. Specifically, on March 30, 2011, Epsilon investigated an alert regarding unusual download activity and discovered that login and password credentials for an email application administrator had been …
P2011-ND-011

Best Buy Canada Ltd.

The Organization uses a US-based, third-party marketing organization, Epsilon, to send email notifications and to manage the Organization’s loyalty program. On March 31, 2011, the Organization was notified by Epsilon that it had experienced a massive data breach and that the Organization’s customers were among the affected individuals. Specifically, on March 30, 2011, Epsilon investigated an alert regarding unusual download activity and discovered that login and password credentials for an email application administrator had been …
P2011-ND-010

Twin America LLC

On or about October 25, 2010, the Organization learned that its customers? credit card information may have been compromised when a web programmer discovered unauthorized script that appears to have been uploaded to the Organization?s web server. The unauthorized script was a SQL injection script which appeared to have occurred on September 26, 2010. It successfully permitted hackers unauthorized access to the Organization’s database from September 26, 2010 to October 19, 2010.
P2011-ND-009

CitiFinancial Canada Inc.

On March 3, 2011 an employee of the Organization discovered that T4A statements for two retired employees were inadvertently mailed to the wrong retirees. The statements were mailed on February 24, 2011
P2011-ND-008

MAF Metal Alloy Fabrication Limited

The Organization uses an external payroll company to process its payroll. After noticing a number of irregularities (including the addition of unknown employees), the Organization’s accounting administrator contacted the external payroll company. The company confirmed their payroll system had been accessed using the authentication information of the accounting administrator to set up the unauthorized pay period and unknown employees. The external payroll company confirmed that the system was compromised by a remote source between 10:46 …
P2011-ND-007

Agritrac Equipment Ltd.

In approximately July 2010, there was a break-in at the Organization’s office. The break-in was reported to police and investigated, but at the time, the Organization believed that none of its records had been stolen. The Organization later determined that a bankers box of financing application forms had disappeared. The Organization believes the box of forms was likely stolen during the July 2010 break-in.
P2011-ND-006

Transalta Corporation

Organization had retained a third party service provider, Workplace Safety & Healthcare Services Ltd. (?WSHS?) to perform clinic and on-site audiometric testing for employees at its Southern Alberta wind and hydro facilities. On November 23, 2010 WSHS was on-site at the Pincher Creek location and following the testing, the original audiogram forms were mailed via Canada Post to the Organization’s office. By January 14, 2011, the audiogram forms had still not arrived in the mail. …
P2011-ND-005

Alberta Treasury Branches, Carrying On Business As ATB Financial

On January 4, 2011 at approximately 3:00 p.m. ?robbers walked? into the Organization branch located in Onoway, Alberta. The robbers stole some cash and an envelope from the Customer Service Representative (CSR) station. Inside the envelope, there were customer service application generated receipts containing fifty customers? names and signatures, bank account numbers, the date, time, and details of their bank transaction of January 4, 2011.
P2011-ND-004

AARC Society operating as Alberta Adolescent Recovery Centre

An Organization staff member was ?on call? the night of December 12, 2010. An Organization binder containing client data and information (twenty-four paper files) was stored in a staff member?s locked vehicle, when the vehicle was stolen.
P2011-ND-003

Ceda International Corporation

On June 2, 2010, a Organization employee in the Human Resources (?HR?) department became aware that an HR folder containing the personal information dating back to 1999 of 104 employees of Organization, was located on the Organization employee public computer drive which was accessible to all Organization employees. The existence and location of the folder was reported to HR by an employee who had found the folder and reviewed his own file. The folder was …
P2011-ND-002

Mini Mall Self Storage Ltd.

Sometime between midnight and 12:30 am on November 8, 2010, individuals broke into the Organization’s premises and stole among other items, computer towers. The break and enter and loss was discovered the morning of November 8, 2010 by a Organization employee. Paper records and credit card receipts. Organization estimates that there were about 5 people who had used their cards (either credit card or debit card) over and above those on the lists. The computers …
P2011-ND-001

AVIS Car Inc.

On November 22, 2010, the third party operator was arrested by the Edmonton Police. The third party operator was found to have attached a key logger/skimming device, which intercepts information that is input to the computer and stores it on a micro disk, between the swipe device and the computer used to input car rental agreements. The Edmonton Police advised the Organization that the third party operator had admitted to using the key logger device …
P2010-ND-011

Speech-Language Pathologist (SLP) Jillian Rowsell

On October 26, 2010, the Organization’s security alarm was triggered by an intruder break-in. All of the doors and windows had been locked and the alarm system had been armed. The intruder physically removed a window to get in and then broke the lock on the door. Two laptops and an external hard drive were stolen from the premises.
P2010-ND-010

Ms. Sharon Ashton

On October 9, 2010, a psychologist that the Organization shares a file cabinet with noticed that the file cabinet would not open and that the cylinder lock was missing. On October 12, 2010, both psychologists examined the file cabinet. They found that the cylinder lock was missing and the cabinet drawers were inoperative. The psychologists advised the manager of the family health centre of the incident and the police. There appears to be no theft …
P2010-ND-009

Dr. Rakha Dave-Gates

On October 9, 2010, the Organization noticed that the office file cabinet that she shares with two other psychologists would not open and that the cylinder lock was missing. On October 12, 2010, both psychologists examined the file cabinet. They found that the cylinder lock was missing and the cabinet drawers were inoperative. The psychologists advised the manager of the family health centre of the incident and the police. There appears to be no theft …
P2010-ND-008

Equitable Trust Company

On or around October 19, 2010, a company issued laptop assigned to an employee was stolen from the backseat of the employee?s car while it was parked overnight at the employee?s home. The laptop required a password to log on and obtain access; however, the personal information stored on the laptop was not in an encrypted format.
P2010-ND-007

Ipsos North America

On October 7, 2010, an employee?s laptop containing personal information of other employees was lost in the course of travel. The laptop was left in an overseas airport, and to date has not been recovered. The device had both a bootable password and windows password but was not encrypted.
P2010-ND-006

Alberta Treasury Branches, carrying on business as ATB Financial

On September 16, 2010, an agent of the Organization discovered the office premises had been broken into. The break-in occurred sometime in the evening of September 15, 2010 or early morning of September 16, 2010. In addition to some personal records, a file containing the names, addresses, phone numbers and bank account numbers of nine customers was missing. The agent could not recall if she had previously destroyed the file or if it had been …
P2010-ND-005

Full Bars Communications Inc.

On August 6, 2010, the owner of the Organization discovered that his home garage had been burglarized and several items stolen, including two external hard drives containing the personal information of current and former employees and customers. The external hard drives were not encrypted.
P2010-ND-004

Radcan Energy Services Inc.

On September 8, 2010, a manager emailed a work schedule to the Organization’s President and copied it to six employees. The manager accidentally attached a previous string of email exchanges which contained a discussion regarding the potential termination of one of the employees copied on the email and which specifically named the employee. The error was discovered the next morning by an administrative assistant who opened and read the email. The administrative assistant immediately notified …
P2010-ND-003

TD Investment Services Inc.

A member wished to transfer their mutual fund RRSP account to an account with another financial institution. As part of this request, the customer completed a form and faxed it to the other financial institution on June 10, 2010. The other financial institution then faxed the form to the Organization’s RRSP transfer processing department on June 22, 2010. Upon review by the Organization, some data on the form was unclear which required that the form …
P2010-ND-002

Rick Bronson’s The Comic Strip Ltd.

On or about July 7, 2010, the Organization received a phone call from another organization, advising it had received a call from an individual who had found documents from the other organization in a dumpster. The other organization attended at the dumpster and determined the documents belonged to the Organization. The Organization retrieved as many documents as possible within hours of being notified but was not able to recover all the documents. The Organization investigated …
P2010-ND-001

Knights of Columbus Charitable Foundation

On or about June 15, 2010, the Organization was notified that a small number of its underwriting files and some additional documents containing personal information had been found outdoors near its headquarters in New Haven, Connecticut. Based on dates printed on some of the documents, it was determined that the incident must have occurred within a few days of the Organization being notified. The files and a significant number of documents were recovered. While investigating …
H2020-ND-01

Alberta Health Services

Alberta Health Services (AHS) notified the OIPC about an unauthorized disclosure of individually identifying health information under sections 60.1(2) and 60.1(3)(a) of HIA. In its breach report, AHS said that it would not be giving notice to the individual who is the subject of the individually identifying health information, as required by section 60.1(5) of the HIA. As provided by section 85.1(2)(a) of the HIA, the Commissioner confirmed AHS’s decision not to give notice to …