Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Investigation into a privacy breach at a Canada Border Services Agency contractor

May 20, 2022

Complaint under the Privacy Act (the “Act”)

Description

A Canada Border Services Agency (“CBSA”) contractor experienced a breach of its network as it was the target of a ransomware attack. Bad actors accessed, copied and removed files from the contractor’s network, and a number of those files were CBSA data, specifically licence plate image files captured at Canadian border crossings. While the bad actors had access to approximately 1.4 million images that were on the contractor’s network at the time of the breach, approximately 11,000 were confirmed to have been posted on the Dark Web. Our investigation found that the contract lacked clauses with respect to security safeguards, including for the protection and retention of personal information.

Takeaways

  • Although some personal information (for example, medical records and financial data) is almost always considered to be sensitive, any personal information can be sensitive, depending on the context.
  • This investigation highlights the value of program, contracting and privacy specialists working together to assess if the information being collected in the delivery of programs and services is considered personal information and to develop contracts with appropriate privacy clauses to protect it.

Report of findings

  1. In June 2019, the Office of the Privacy Commissioner of Canada (“our Office” or the “OPC”) became aware by way of media reports of a cyber attack targeting a US-based third party contractor of the Canada Border Services Agency (the “CBSA” or the “Agency”) and their American counterpart, the US Customs and Border Protection (the “US CBP”). This attack occurred in May 2019 and involved malicious actors who transferred files from the Contractor’s network and released them onto the Dark WebFootnote 1.
  2. Early media reports focused on the US CBP data released onto the Dark Web - identified as licence plate images along with clear and visible facial images of travellers captured on the American side of the Peace Bridge land border crossing. On June 12, 2019, a media report noted the CBSA had launched its own investigation. According to one Canadian media article, a CBSA’s spokesperson said the CBSA was “reviewing and assessing what impacts, if any, the breach has on its operations and Canadians.” The spokesperson also said that the breach incident did not pose systems or security vulnerabilities to the CBSA.
  3. Our Office reached out to CBSA representatives on June 13, 2019 and were advised that approximately 9,000 photos of licence plates collected when travellers entered Canada were compromised in the breach. The CBSA stated that the CBSA images involved in the breach were collected at the Cornwall, Ontario land border crossing and had been sent to the Contractor for troubleshooting.
  4. The CBSA also advised that the majority of the files compromised in the breach were collected by the US CBP. The Agency further clarified that any files containing facial images of travellers involved in the breach were from the US CBP.
  5. Having been satisfied that there existed reasonable grounds to investigate this matter, the Privacy Commissioner of Canada commenced a Commissioner-initiated complaint under subsection 29(3) of the Act against the CBSA on July 5, 2019.

Overview

  1. Our investigation focused on determining the impact of the breach on travellers entering Canada, and an assessment of the measures the Agency took to ensure appropriate safeguards were in place to meet its obligations under the Act.
  2. Our investigation revealed that:
    1. the CBSA inconsistently considered and managed licence plate information, as personal information;
    2. licence plate image files, in this case, included metadata containing: the licence plate jurisdiction (province or state); the licence plate characters; the date and time the image was taken; and the numerical code representing the border crossing site along with lane number.
    3. a much higher number of CBSA licence plate image files – up to 1,385,198 – were compromised during the breach; and
    4. security safeguards, including contractual clauses for the protection of personal information, were lacking.
  3. Our investigation concluded that the complaint was well-founded as the CBSA contravened the disclosure provisions of the Act. The OPC also made a number of recommendations (see paragraph 54) to the CBSA to strengthen its personal information management practices in this regard. Based on the CBSA’s response to our investigation and its acceptance of our recommendations, we considered the complaint to be resolved.

Scope of the Investigation and Methodology

  1. The investigation examined whether the licence plate image files collected by the CBSA in the course of the travellers crossing land borders constituted personal information in accordance with Section 3 of the Act. Following our determination that in this context the licence plate image files, which included metadata showing border crossing time and location, did constitute personal information for some individuals, the investigation examined whether the CBSA contravened the disclosure provisions under section 8 of the Act.
  2. In reaching our conclusions, we considered information obtained from the following sources:
    • Interviews with representatives of both the CBSA and the Contractor;
    • Written representations and reports submitted by the CBSA’s Access to Information and Privacy Office, including contract documents in place at the time that the breach occurred;
    • A sample of representative licence plate images and electronic licence plate image file names (metadata) provided to the OPC by the CBSA;
    • Written representations from the Contractor, including the executive summary of the forensic investigation report, forensic sensitive data discovery reports as well as current and previous contracts between the parties; and
    • Open sources (such as media reports about the breach including an interview with the Contractor’s CEO in August 2019).
  3. During our investigation, it came to light that the license plate images released onto the Dark Web appeared to date back to over 10 years. Given its bearing on the breach, we also reviewed the data retention provisions in the contract with the Contractor, and the parties’ adherence to those provisions.

CBSA’s relationship with the Contractor:

  1. The Contractor is a supplier of licence plate recognition products and has had contracts with the Government of Canada since 2003.
  2. The contract between the CBSA and the Contractor in place at the time of the breach was dated July 15, 2015 and covered the purchase, installation and support of updated licence plate reader (“LPR”) equipment and software technology used at border crossing lanes. The CBSA collected the licence plate images and associated metadata directly from the LPRs as part of its border exit/entry processing, security and intelligence activities. The contract set out performance expectations for the LPR technology and equipment, including a requirement that the image taken of the licence plate clearly capture and accurately read the licence plate characters along with jurisdiction of origin (province/state) to a 98 percent accuracy threshold. To this end, the CBSA sent raw licence plate image files (including the associated metadata) to the Contractor for analysis on a monthly (500 files) and quarterly basis, in addition to images from newly installed equipment at lanes as part of a quality assurance exercise.
  3. The CBSA stated that no other traveller information (such as name or other personal identification) was provided to the Contractor and the raw images were securely transmitted between the parties. On this latter point, we provided additional observations and recommendations at the conclusion of this report to strengthen the manner in which images are transmitted (see paragraphs 56-59).

Events leading up to the breach and follow up actions

  1. According to the Contractor’s forensic investigators, bad actors were able to enter the Contractor’s systems through an unpatched decommissioned server. The Contractor first became aware of an incident involving its systems on May 13, 2019, when the Contractor’s CEO received an email demanding a ransom be paid. In the initial days after this email, the Contractor sought to verify the validity of the threat.
  2. On May 21, 2019, two days before the image files were released onto the Dark Web, the CBSA was alerted that the Contractor had been the subject of a cyber attack. The CBSA advised that it immediately consulted system architects, designers and support teams to determine the nature and sensitivity of the compromised material. Between May and July 2019, the Agency was in regular communication with the Contractor as the forensic analysis progressed. Discussions focused on quantifying the LPR images, and on whether there was information associated with the images that could be connected to individuals (travellers). The CBSA confirmed that the Contractor did not receive any traveller information that it collects, outside of the licence plate images files and associated metadata.
  3. In the immediate aftermath of the breach, the CBSA ceased sending licence plate image files to the Contractor. It amended its contract with the company on February 24, 2020 and resumed sending licence plate image files in September 2020 after testing and certifying that a new version of the File Transfer Protocol (“FTP”) solution was compatible with the security improvements that the Contractor had implemented.
  4. After the breach, the Contractor put in place a number of measures for the company to be in compliance with an internationally recognized information security framework, including the following:
    • It sanitized all media on computers and servers and migrated all sensitive and restricted data to a secure cloud-based information management system;
    • It provided evidence to the CBSA that files compromised in the breach had been permanently deleted as of June 27, 2019; and
    • It enhanced its network security to continuously monitor for threats via various technical security solutions that communicate real-time alarms and events to an external cyber-security monitoring service.

Information involved in the breach incident

  1. The Contractor’s forensic investigation revealed that at the time of the breach, there were 1,385,198 CBSA licence plate image files, including duplicates on its systems. It also found that malicious actors accessed at least 26 systems on the Contractor’s network and accessed the network 199 times between February 26 and May 19, 2019. The malicious actors also concealed some of their activity in the network; therefore, forensic investigators could not conclusively determine the extent of the information exfiltrated, beyond what was found on the Dark Web.
  2. While initially the CBSA stated 9,000 licence plate images were involved in the breach, it later revised that number to 10,734, considering only the licence plate image files confirmed disclosed on the Dark Web. It added that after the Contractor’s analysis to remove duplicates, there were 3,492 unique plates actually disclosed on the Dark Web. These image files came from the file of a former Contractor employee who performed ground truthingFootnote 2 functions and whose computer contents were backed up onto the network after that employee left the company. All of these image files were from 2008 and were taken at the Cornwall border crossing.
  3. In addition, forensic investigators determined that another 423 CBSA licence plate image files attached to internal Contractor emails residing on its email server were also exfiltrated and released on the Dark Web. These licence plate image files were from various border crossings across Canada.
  4. While our investigation confirmed two sets of CBSA licence plate image files were exfiltrated (those referenced at paragraphs 20 and 21), given the frequency and breadth of malicious actors’ infiltration of the Contractor’s network and systems, our Office considered all of the 1,385,198 image files on the Contractor’s systems accessed and compromised, whether or not they were copied in their entirety and/or released to the Dark Web.

Application of the Act

  1. In making our determinations, we considered sections 3 and 8 of the Act.

Are licence plates personal information in this context?

  1. Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing: information relating to race, national or ethnic origin, colour, religion, age, marital status, education, medical, criminal or employment history, financial transactions, identifying numbers, fingerprints, blood type, personal opinions.
  2. Our review of the sample images files provided to the OPC by the CBSA revealed the following:
    1. images captured the rear view of the vehicle with the make and model visible for the majority of the vehicles, the licence plate jurisdiction and plate characters, and whether it is a personal or business vehicle (for example, light-duty trucks with a number on the back panel identifying it as part of a fleet of vehicles);
    2. images of licence plates with graphics and/or personalized licence plate characters were clearly visible;
    3. no occupants of the vehicles were evident in the images provided by the CBSA; and
    4. the licence plate image files contained metadata including: the licence plate jurisdiction (province or state); the licence plate characters; the date and time the image was taken and the numerical code representing the border crossing site along with the lane number.
CBSA’s Representations:
  1. The CBSA took the position that licence plate information did not constitute personal information as defined under section 3 of the Act. It cited in its representations the following excerpt from Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94:

    Under section 3, personal information is generally described as any information about an identifiable individual. The Alberta court of appeal [sic] found that the licence plate did not meet this definition as the licence plate identified the vehicle and “the number is merely a conduit to other personal information about the owner that is not publically [sic] available.”

  2. The CBSA submitted that only licence plate numbers were compromised in the breach and no other traveller/driver information in any form was associated with the plate numbers. It further contended that the licence plate information could only identify the owner of the vehicle - not the driver or passengers - at the time the licence plate image was taken and to obtain the identity of the owner, the licence plate characters would have to be searched against a provincial or state vehicle registration database.
  3. The CBSA also argued that the Supreme Court of Canada has indicated that the degree of personal privacy that should be expected at the border is lower than in most other situations, and that travellers crossing international borders should fully expect to be subject to the screening process as set out in R. v Simmons, [1988] 2 SCR 495. The issue raised in the cited case was whether the appellant’s Charter rights were infringed when she was subjected to a physical search, but not afforded the right to counsel.
The OPC’s position:
  1. Our Office considers the Leon’s case to be distinguishable to the matter at hand. More precisely, we are of the opinion that licence plate image files constitute personal information of some individuals in this particular context for the following reasons:
    • Licence plates were exposed in the context of border crossings, revealing that the registered owner’s vehicle (and potentially the registered owner if also the driver at the time) travelled through a particular port of entry and at a precise time. In this case, the licence plate image files contained metadata including: the licence plate jurisdiction (province or state); the licence plate characters; the date and time the image was taken and the numerical code representing the border crossing site along with the lane number;
    • Certain provincial jurisdictions, such as Ontario, offer services to the public for conducting searches against government databases to obtain the name of the registered owner of a vehicle by searching individual licence plate numbers; and
    • Graphic or personalized licence plates can potentially reveal information about the individual who ordered the particular plate, such as family name, affiliations to particular groups, as well as the jurisdiction where they reside.
  2. Further, our provincial counterparts in OntarioFootnote 3, British ColumbiaFootnote 4, Nova ScotiaFootnote 5, Prince Edward Island (PEI)Footnote 6, and QuebecFootnote 7 have found that licence plate numbers may qualify as personal information pursuant to their respective privacy legislation. We, however, note that the Saskatchewan OIPC found otherwise under its privacy legislation which excludes from the definition of personal information “details of a licence, permit or other similar discretionary benefit granted to an individual by a government institution.”Footnote 8
  3. PEI’s position is particularly instructive here. The PEI Privacy Commissioner stated “I am also persuaded that the information that the Charlottetown Police collects from the ALPR [automated licence plate reader] cameras, including the GPS position, and the date and time of the image, is personal information of the vehicle owner.”
  4. Further, and despite its stated position referenced above, the CBSA acknowledged that it uses licence plates to identify vehicles and travellers sought by law enforcement or for immigration purposes, indicative of the use of the licence plate information as a personal identifier. According to the CBSA’s Personal Information Bank - Traveller Processing (CBSA PPU 1101), passenger vehicle licence plate information is collected at land border crossings, in addition to other personal information captured, to create “a passage history and allows the CBSA to initiate ‘real-time’ queries against law enforcement actions and lookouts.”
  5. Finally, our Office considered the CBSA’s argument with regard to R v. Simmons. The case law cited is concerned with the degree of personal privacy travellers can expect at the border. There is no dispute that there is a lower degree of privacy for travellers crossing into Canada, which allows the CBSA to collect the licence plate images and metadata of travellers’ vehicles when crossing the border. However, this lower threshold for privacy does not mean the information is no longer personal. Nor does it reduce the level of privacy protective measures needed to ensure licence plate image files are not inappropriately used outside the border context. It is, therefore, reasonable for travellers to expect that their personal information collected by the CBSA will be protected from unauthorized access and disclosures.
  6. Based on our assessment of the complete package of information involved in the breach including metadata, and our analysis of the cross-country findings related to licence plate images under similar circumstances, we considered the information to be personal information for some individuals in this particular context.

Was the personal information at issue improperly disclosed?

  1. The Act states that personal information can only be disclosed with an individual's consent – Subsection 8(1) – or in accordance with one of the categories of permitted disclosures outlined in subsection 8(2) of the Act.
  2. As noted above, licence plate image files and associated information were collected in order to support the CBSA’s traveller processing activities. The Contractor notified the CBSA that it suffered a breach of its systems that included information being inappropriately accessed and disclosed on the Dark Web. Given this, we found that none of the permissible disclosure provisions within the Act applied.

Were security measures adequate?

  1. Having determined that the disclosure was unauthorized, our Office considered whether the CBSA took adequate measures to ensure the personal information was properly protected. In that regard, our office reviewed the Treasury Board Secretariat (“TBS”) Guidance Document: Taking Privacy Into Account Before Making Contracting DecisionsFootnote 9 which provides “…advice to federal government institutions whenever they consider contracting out activities in which personal information about Canadians is handled or accessed by private sector agencies under contract”, including when contracting with vendors located in United States. It qualified that the advice should be read in conjunction with existing government policies and procedures for procurement. When personal information may be handled under the terms of the contract, the guidance indicates that the institution should consider including appropriate clauses to protect personal information as a shared responsibility. While this guidance may not be binding, in our view, this is a sound privacy management practice.
  2. While the CBSA is permitted to enter into contractual arrangements with the private sector, including US companies such as the Contractor, any personal information collected, used, disclosed or otherwise handled by the contractor on behalf of the CBSA is considered to be under the control of the CBSA.Footnote 10 As such, the CBSA is responsible for ensuring that the personal information shared with its contractors is appropriately protected, including against improper disclosure in accordance with the CBSA’s privacy obligations under the Act and pertinent TBS policy instruments.

Contract:

  1. When asked for a copy of its contract with the Contractor, the CBSA provided a contract dated in 2015 – the one in place at the time of the breach – with annexes, which included the Statement of Work (“SOW”) and the Security Requirements Check List (“SRCL”). We reviewed the contract and the accompanying annexes to determine if, at the time of the breach, sufficient contractual provisions were in place to ensure the protection of personal information.
Security requirements
  1. Our examination showed the contract and the accompanying annexes were lacking specific clauses regarding the protection of personal information, or the CBSA’s expectations with respect to cybersecurity and/or internationally or otherwise recognized information security standards pertaining to the protection of the Agency’s information assets held by the Contractor. It, however, contained a clause allowing for the then Public Works and Government Services Canada (“PWGSC”)Footnote 11, as the contracting authority, to conduct compliance visits to ensure compliance with the security measures outlined in the contract. Our investigation found no evidence of further discussions about security requirements. As well, our Office confirmed with CBSA that no compliance visits were ever conducted, including after the breach occurred.
  2. Our review of the SOW showed that it had some limited clauses imposing constraints on the Contractor on the use of the information captured by the LPR technology itself – notably, that:
    1. all data captured by the LPR technology was the CBSA’s property and that the data should not be distributed in whole or in part to any other person or organization nor could it be retained for purposes other than to support the CBSA; and
    2. The Contractor must not permanently store any confidential or personally identifiable information.
  3. We examined the completed SRCL attached to the contract. The SRCL indicated that the Contractor would not require access to Protected or Classified information or assets, nor would it be storing such information on its site or premises. Even so, the contract contained provisions that required the Contractor to immediately report any incidents where the CBSA’s protected information/assets were compromised, whether lost or disclosed to unauthorized individuals.
  4. As outlined elsewhere in this report, our Office took the view that the licence plate image files which include metadata, were personal information for some individuals in this particular context. According to the Government of Canada’s information and asset security classification levels, personal information is considered protected informationFootnote 12. The discrepancy between the contract and how the licence plate images were treated led our Office to question whether the CBSA conducted a thorough assessment of the classification of the licence plate image files with metadata.
Retention
  1. On learning that the image files from the Cornwall, Ontario border crossing released to the Dark Web were from 2008, we assessed retention. The CBSA licence plate image files found on the Dark Web were from a back up of a former employee’s computer. These backed up licence plate image files were at least 11 years old.
  2. The CBSA’s contract with the Contractor included one clause which stipulated that the contractor’s solution “must not permanently store any confidential or personally identifiable information.” At the time of the breach, there were just under 1.4 million licence plate image files from ports of entry across Canada on the Contractor’s systems. Though our Office was not provided with the date range of all licence plate image files on the company’s network at the time of the breach, the Contractor’s representatives indicated that the majority of them were from the contract in place at the time of the breach and their understanding at the time was that they could retain the licence plate images for the duration of the contract.
  3. When asked, the CBSA indicated that the Agency’s retention period for licence plate image files is “six years plus the current year.” Given that the CBSA has a specific retention period for licence plate image files, we would have expected, that as a minimum, the contract stipulate a comparable retention period.
  4. In our view, the contract documents fell short on privacy protections that our Office would expect when government institutions enter into contracts with third parties involving personal information. We expected to see provisions requiring that third parties: (i) be compliant with TBS security and privacy policy instruments, (ii) incorporate relevant internationally recognized information security frameworks/standards, and (iii) adhere to more clearly defined direction on the retention of personal information.

CBSA Contract Updates Post-Breach

  1. Despite the CBSA’s contention that licence plates were not personal information, following the breach in February 2020, the Agency amended specific areas of the contract with the Contractor. Our review of the contract amendment showed the CBSA revised the SOW to include a clause that required the Contractor to show that its information security program (which includes cybersecurity standards) complied with the applicable internationally recognized information security frameworks listed in the amendment. The revised SOW also included a clause setting out a strict limit on the retention of licence plate images. The amendment also required that the Contractor dispose of the licence plate images provided by the CBSA after three (3) months from processing.

Conclusions

  1. The CBSA represented that it did not consider the licence plate images to be personal information. It did not include in its assessment of the information involved in the breach any considerations with respect to licence plate characters, as well as the associated metadata, which revealed time, date and location. We also observed that the CBSA specifically recognized licence plates as personal information in their Personal Information Bank, while contending the contrary in their representations in this investigation.
  2. Our investigation also determined that the licence plate image files involved in the breach reveal more information about the registered owner and their vehicle than the licence plate characters alone. In this context the licence plate image files with their metadata do constitute personal information under Section 3 of the Act for some individuals.
  3. Further, we assessed that CBSA’s contract with the Contractor was lacking with respect to safeguard measures, and record retention. As a result of actions of malicious actors, close to 1.4 million CBSA licence plate images were inappropriately accessed, with two data sets (those referenced at paragraphs 20 and 21) confirmed released onto the Dark Web. The breadth of the breach, namely the large number of images impacted was exacerbated by the absence of a specific retention limit in the original contract regarding collected images.

Findings

  1. In view of the preceding, we found the complaint to be well-founded and resolved.

Recommendations

  1. An important issue revealed in the course of this investigation was the manner in which personal information was identified. It must be examined in context, and in combination with other data elements.
  2. In our preliminary investigation report, we made the following recommendations to the CBSA. Specifically that the Agency:
    1. Fully review its current contract with the Contractor and include clear language in future contracts that the licence plate image files constitute personal information and that appropriate clauses to protect personal information are present, including but not limited to appropriate safeguards for storage, use, access and destruction.
    2. Seek guarantees and confirmation from the Contractor that any data retained more than three (3) months after it was provided to the company has been destroyed, in line with the revised contract requirements.
    3. Demonstrate, through an audit or review of the Contractor, that CBSA assets (personal information) are managed in accordance with the terms of its revised contract (see subparagraph a. above).
    4. Provide evidence to the OPC within six (6) months that recommendations a. and b. have been met, and within one (1) year that recommendation c. has been met.
  3. On March 24, 2022, the CBSA informed our Office that the Agency would be adopting our recommendations. Given the current contract is sunsetting, it will implement these recommendations in its upcoming Request for Proposal and contracting documents.

Additional observations and recommendations

  1. During the course of our investigation, the OPC observed certain technical vulnerabilities which we shared to enhance the CBSA’s security posture when transferring personal information to its contractor. While our Office recognized these vulnerabilities did not contribute to the breach, we nonetheless encouraged the CBSA to address them as suggested below.
  2. There was no direct VPNFootnote 13 tunnel between CBSA systems and the Contractor’s systems. Even though the image files that were being transferred were in a compressed and encrypted format, the transmission was administered over the open internet and not through a dedicated VPN tunnel between the two entities, thus elevating the risk of compromise. We encouraged the CBSA to implement a dedicated VPN tunnel between the two entities to ensure that no outside unauthorized parties could intercept the files being transmitted.
  3. The CBSA’s representations mentioned that they used a FTP software to transmit the image file to the Contractor. The FTP software used is a freeware/shareware software utility and primarily used for personal computing. Although it is regularly updated and maintained, the transmission of sensitive data should be done with an enterprise level solution.
  4. During the investigation, the CBSA also revealed that it uploaded the licence plate image files to a secure FTP server. We would recommend that if the Agency currently does not do so, to ensure that it is utilizing SSH File Transfer Protocol (“SFTP”) or FTP Secure / TLS, as applicable to local configuration requirements, to ensure the appropriate level of encryption when transferring files to the Contractor.
  5. In response to the above additional observations shared with the CBSA, the Agency indicated that in its contracting, it would include a clause requiring that any secure FTP hardware and software used for licence plate information transfers be compliant with at least one Information Security Framework referenced in the contract. Our Office is satisfied that this measure addresses our concerns.
Date modified: