pdf – Office of the Information and Privacy Commissioner of Alberta

P2023-ND-020

mbokhiria — Tue, 20 Feb 2024 21:01:50 +0000

On November 14 and November 15, 2021, legal counsel confirmed the Organizations were the subject of a ransomware attack. On October 31 and November 4, 2021, the Organizations discovered that certain of their systems had been encrypted. The incidents did not impact the Organizations’ critical business operations. Having received no further information from the Organizations, my office asked the Organizations’ legal counsel on May 9, 2023, if the Organizations could confirm whether their investigation into the incidents was complete and whether the Organizations notified affected individuals. The Organizations reported the investigation was complete on or around May 18, 2022. On September 18, 2023, the Organizations reported, “At the time, there was no hard evidence that personal information had been compromised and based on this initial assessment, no report was filed with your office.” The Organizations reported affected individuals were notified as described below.

P2024-ND-001

mbokhiria — Wed, 17 Jan 2024 20:48:30 +0000

On June 30, 2023, the Organization, through legal counsel, informed my office about the unauthorized access of personal information under the Organization’s control.
My office contacted the Organization’s legal counsel in July and September 2023.
On September 15, 2023, the Organization, through legal counsel, stated “there is no real risk of significant harm to individuals as a result of the incident.”
My office followed-up with legal counsel in October and November 2023, requesting clarification on whether the Organization is notifying the Commissioner under section 34.1 of the Personal Information Protection Act (PIPA). My office received no responses.

P2022-ND-075

ssibbald — Thu, 30 Nov 2023 17:42:35 +0000

On April 28, 2021, the Organization became aware that a limited number of finalists in one of its programs received administrator-level viewing access to the web-based database it uses to collect and maintain records for applicants, finalists and participants in the programs it administers. The Organization determined that personal records were among those that were accessible, although the Organization have not determined what records have been viewed.

P2023-ND-018

mbokhiria — Thu, 30 Nov 2023 17:39:00 +0000

On December 27, 2022, the Organization’s IT systems at its corporate office were subject to a ransomware attack that encrypted several of its servers and business applications. The Organization determined that the threat actor likely gained unauthorized access to and likely exfiltrated certain data from its IT systems, including certain personal information.

P2022-ND-068

ssibbald — Thu, 30 Nov 2023 17:30:00 +0000

On June 1, 2021, a branch office of the Organization was broken into. The break-in was reported to the police. An agent with the Organization had her double password protected laptop stolen from her locked office during the break in. The breach was discovered on June 2, 2021 when the agent went to the branch office.

P2023-ND-013

mbokhiria — Fri, 26 May 2023 19:58:51 +0000

The Organization operates a number of online storefronts. In the course of its operations, they obtain certain services from Amazon Web Services (AWS). On February 8, 2023, the Organization “received feedback from an anonymous caller about a data file allegedly containing … customer records leaked on a … breach forum.” The Organization investigated; they assessed the records to be “highly similar to a CRM-exported data file with customer records stored on AWS S3.” The Organization initially reported that the incident is the result of an insider threat or a “misconfiguration” of their AWS S3 environment, enabling the “enumeration … and subsequent exfiltration” of data. On March 7, 2023, the Organization clarified “the likeliest scenario is that the address of the AWS S3 object associated to the [data] … was inadvertently exposed to the internet” between “September 14, 2020 … and February 5, 2023.” “A precise date cannot be determined because there is limited logging capability within the Organization’s test environment, as is characteristic of such non-production environments.” The data file “was made available on the breach forums on February 5, 2023” and “is still available” as of March 7, 2023.

P2023-ND-016

ssibbald — Mon, 01 May 2023 19:55:45 +0000

At the time of the incident, the Organization obtained information technology (IT) services, including cloud hosting, from a third party, Sandbox West Cloud Services Inc. (Sandbox). On or about February 11, 2023, Sandbox was victim to a ransomware attack. Sandbox first notified the Organization on February 12, 2023. On March 19, 2023, Sandbox provided the Organization with supplemental information; a letter confirmed “threat actors” conducted a “ransomware attack” and advised all “customers” about the potential for “a data breach.” On April 6, 2023, the Organization reported unsuccessful attempts to obtain details from Sandbox about the incident, including whether or not personal information was accessed without authorization, or exfiltrated.

P2023-ND-015

ssibbald — Mon, 01 May 2023 19:54:43 +0000

On December 3, 2022, a break-and-enter occurred at the Organization’s office. The incident was discovered by police. The Organization conducted an inventory following the incident; “thieves … stole anythign [sic] that appeared to be of value including computer screens … but most importantly, the law firms [sic] server and back up drive containing information on client files such as correspondence between lawyers and clients. The drives and server are password protected.” In a January 20, 2023, update, the Organization’s IT provider advised “the information was not encrypted but only protected by passwords.” “2 of 4 thieves were … arrested,” however, the server and backup drive were not recovered.

P2023-ND-014

ssibbald — Mon, 01 May 2023 19:53:10 +0000

The Organization’s website says it is a provider of “password and identity management solutions.” One of the Organization’s products / solutions is “a secure digital vault for passwords and login details…” As part of its operations, the Organization “uses Amazon Web Services (AWS) for routine cloud storage, archiving and back up services…” On November 2, 2022, the Organization was alerted to suspicious activity within its cloud storage environment. On November 27, 2022, the Organization identified that “there was a sufficient likelihood of customer data being accessed.” On December 15, 2022, the Organization confirmed that a “backup copy of the user main database and encrypted vault data was exfiltrated from the [Organization’s] AWS account.” A March 1, 2023 public notice explained “The threat actor was able to copy five of the Binary Large Objects (BLOBs) database shards that were dated: August 20, 2022, August 30, 2022, August 31, 2022, September 8, 2022, and September 16, 2022. This took place between September 8 – 22, 2022.” An investigation determined this incident was the result of a series of cyberattacks that took place in August 2022, in which a threat actor targeted a software engineer and a DevOps engineer. The threat actor ultimately deployed malware on a “DevOps engineer’s home computer,” leading to the compromise of a “LastPass corporate vault.” “The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.” The attacker “engaged in … enumeration, and exfiltration activities aligned to the cloud storage environment spanning from August 12, 2022 to October 26, 2022.”

P2023-ND-009

ssibbald — Mon, 01 May 2023 19:51:16 +0000

On September 22, 2022, an employee misdirected an email containing personal information about the affected individual who is also an employee. The unintended recipient, who is also an employee, alerted the Organization of the mistake.