In October 2021, the Organization was the victim of a Microsoft Office365 tenant compromise, which is shared between CARE Canada and sister organizations CARE International United Kingdom (“CARE UK”) and CARE United States (“CARE USA”). Three compromised CARE UK service accounts, with Office 365 Administrator Privileges, were compromised and accessed CARE UK’s application. This resulted in the unauthorized access of 3,845 unique pages, emails, and files, from across the shared Office 365 environment, many of which belonged to the Organization and contained personal and/or sensitive information. On November 8, 2021, the Organization was notified of the incident and began to investigate. Between January 7, 2022 to February 9, 2022, the Organization became aware of its responsibilities under Alberta PIPA. In February, 2022, the Organization conducted an assessment of the real risk of significant harm to individuals.