The Organization initially reported that, on September 27, 2021, it was notified by a journalist about a ?vulnerability on our end-point of a url that was hidden on the web portal version …?. The breach occurred when the Organization?s ?external team? was ?adding various end-to-end encryption on the web portal version on AWS for users that don?t have mobile phones for the app?. The Organization reported that it turned off its server ?within 5 minutes of being notified? of the breach and ?The inappropriate access seems to have happened between the nine-hour window of 27 Sept 18:21:49 UTC and 28 September 2021 03:07:13 UTC?. On October 28, 2021, the Organization contacted my office to ?speak about another alleged unauthorized viewing?. The Organization provided additional information on November 4, 2021, consisting of excerpts of a security audit that cited logs showing an unauthorized third party accessing or trying to access user profiles on October 17, 2021. The Organization explained that unauthorized actors could view users? personal information by navigating to ?deeply hidden? URLs. The Organization did not report how long the personal information was exposed. Both incidents were made public by way of news articles published by the CBC on September 28 and October 28, 2021.
P2021-ND-232
File Type:
pdf
File Size:
777 KB
Categories:
2021