IRCC email breach creates risk of harm to individuals seeking Afghan emergency assistance
Complaint under the Privacy Act
December 14, 2022
An individual submitted a complaint about a series of four mass emails sent to 636 individuals by IRCC to respond to enquiries about emergency assistance measures in the context of the situation in Afghanistan in the fall of 2021. In the emails, all recipients were included jointly in the “TO” field, instead of the blind carbon copy (“BCC”) field. This disclosed the recipients’ email addresses, in certain cases a thumbnail photo, and the fact that they had inquired about emergency measures to all the other recipients – potentially threatening the lives of any recipients who might have been in Afghanistan and seeking refuge from the Taliban.
- If you send information to large groups electronically (bulk emails) using the “to” or “cc” fields instead of the “bcc” field, you are disclosing personal information about the recipients to each other. If you are a federal government employee, you are responsible for ensuring any such disclosures comply with section 8 of the Privacy Act.
- It is good practice for program areas that are routinely responsible for communicating with individuals about sensitive topics, or with individuals in sensitive situations, to develop procedures, concrete guidance, and training to ensure that employees know how to protect personal information when communicating externally.
- Programs can also consider software tools that may reduce certain types of accidental email disclosure errors.
Report of findings
When the Taliban took control of Afghanistan in August 2021, Canada announced that it would be temporarily suspending its diplomatic operations in the capital city of Kabul due to the rapidly evolving situation.Footnote 1 The Government of Canada indicated that it was closely monitoring developments in Afghanistan and coordinating its response with international partners to do all it could to support Afghanistan and the Afghan people.Footnote 2
In response to the crisis situation, Immigration, Refugees and Citizenship Canada (“IRCC”) developed facilitative measures to support those affected by the crisis and to bring Afghans to safety under special immigration measures. IRCC launched a dedicated mailbox for individuals affected by the situation to contact the department about the emergency assistance available. Many of the individuals who contacted IRCC in the context of the crisis and/or individuals they have ties to, feared persecution in Afghanistan. At least some of these individuals appeared, from IRCC’s review, to still be in Afghanistan.
On October 28, 2021, IRCC notified our Office of a breach involving the inadvertent disclosures of personal information when it sent four generic emails to individuals who had emailed the department seeking guidance on emergency measures relating to the situation in Afghanistan.Footnote 3 The individuals’ email addresses were included in the “TO” field, instead of the blind carbon copy (“BCC”) field, thereby disclosing the entire recipient list to everyone included in each of the emails. After being notified of the incident by two email recipients, IRCC began notifying the 636 individuals who were impacted by the incident. The scope of the disclosures included: (i) the email addresses, (ii) in certain cases, the individual’s thumbnail photograph associated with their email address, and (iii) the fact that the individual had inquired about emergency measures relating to the situation in Afghanistan. Given the context in which the individuals contacted IRCC, and the potentially significant risks to the safety and well-being of these individuals if their identities were disclosed, the personal information was inherently sensitive in nature.
The matter was subsequently raised in the media and the OPC received a complaint (from an individual not directly affected by the breach). The complainant raised concerns that the breach threatened the lives of several hundred vulnerable Afghans seeking refuge from the Taliban and demonstrated a severe lack of measures in place at IRCC to guard the privacy of those most vulnerable.
In this case, as IRCC acknowledged that the disclosures were done erroneously and without an appropriate purpose, the disclosure provisions of section 8 of the Privacy Act (the “Act”) were contravened. Given the potentially serious impact of the disclosures on these individuals who were seeking emergency assistance from the Government of Canada, we examined the adequacy of IRCC’s measures to: (i) prevent disclosures of this nature, (ii) mitigate the potential damage of the incident on affected individuals, and (iii) reduce the risk of a recurrence in the future.
We found that IRCC had insufficient administrative and procedural controls in place to mitigate the risk of accidental disclosures of inherently sensitive personal information when communicating with individuals by mass email, including no oversight or compliance monitoring procedures to ensure the necessary due diligence in protecting individuals’ personal information.
With respect to mitigation of the impact on affected individuals, we found that IRCC took important and immediate mitigation steps, including notifying affected individuals and requesting that all copies of the emails received by recipients be deleted. That said, this breach created a risk of significant harm to more than 600 individuals who may have feared reprisals from the Taliban and were seeking emergency assistance and protection from the Government of Canada. This risk cannot be fully eliminated after a breach. As a result, it was imperative that IRCC strengthen its prevention mechanisms to ensure that a similar incident does not occur in the future.
We found that, overall, IRCC took positive remedial steps in the wake of the breach to reduce the risk of a recurrence of a similar incident, including revising its internal procedures for sending mass emails with safeguard enhancements such as: (i) restricting the sending of mass emails by authorized employees only and integrating a verification procedure (a ‘two pairs of eyes rule’), and (ii) instituting an alternative, secure method of communication with the department (i.e. a secure webform for individuals to make similar inquiries).
However, given the highly sensitive nature of the information, and the potential ramifications for individuals’ personal safety in the case of a breach, we underscored to IRCC that they must: (i) have robust protections and procedures in place as part of its security architecture to ensure that a human error does not automatically result in a breach, and (ii) continuously assess its prevention mechanisms to mitigate the risk of an accidental disclosure.
We recommended that IRCC commit to providing our Office with an update by March 3, 2023, outlining the further technological measures that it has secured and implemented to mitigate the risk of misdirected email correspondence. We are encouraged that IRCC has accepted our recommendation. Further, IRCC shared with our Office certain additional measures it is undertaking to prevent a similar privacy breach and to ensure the protection of client information. These measures are outlined in the report below. IRCC also reported that it leveraged the lessons learned from this breach to enhance its safeguards and to reduce the risk of accidental disclosures of personal information during the management of the Ukraine crisis (i.e., the facilitative measures developed to support Ukrainians and their families affected by that crisis).
- Our investigation focused on: (i) IRCC’s measures to prevent unauthorized disclosures of personal information of this nature, (ii) the adequacy of IRCC’s measures to mitigate the impact of the incident on affected individuals, and (iii) IRCC’s actions to reduce the risk of recurrence in the future. The complainant also raised concerns regarding the ramifications of the breach and life-threatening consequences to those individuals affected by the breach, and that there was (and may still be) the potential for misuse of the personal information in question (i.e., individuals seeking refuge from the Taliban could be identified). This report also addresses those concerns in the context of IRCC’s actions to mitigate the risks to individuals affected by the breach.
Background of the disclosures
- In response to the situation in Afghanistan, the Government of Canada developed several special programs and measures to support those affected by the crisis, including special immigration measures to bring Afghans to safety. IRCC launched a “Situation Afghanistan” mailbox for individuals affected by the situation to contact the department with questions relating to the supportive measures available (for example, priority processing for certain types of applications).
- IRCC’s Client Support Centre (“CSC”) was tasked with managing the “Situation Afghanistan” mailbox and triaging the inquiries for response. IRCC reported that the enquiries received through the “Situation Afghanistan” mailbox originated from: (i) direct enquiries from individuals in relation to Canada’s Special Immigration Measures for Afghanistan (i.e., these individuals followed the procedure on IRCC’s website to contact the department), and (ii) ad hoc enquiries (emails) received by internal stakeholders at IRCC (for example, the Minister’s Office) which were forwarded to the “Situation Afghanistan” mailbox for response.
- The individuals affected by the breach had made enquiries to various internal stakeholders at IRCC by email between August 17 and October 18, 2021, regarding the supportive measures available. Due to the volume of inquiries, IRCC committed to have all enquiries centralized to the CSC. A procedure was put in place requiring internal stakeholders to forward the emails to the “Situation Afghanistan” mailbox for response by the CSC.
How the breach occurred
- On October 18, 2021, an employee in the CSC sent out four separate emails (each to 100-200 recipients), to a total of 636 individuals who had contacted internal stakeholders at IRCC to inquire about the supportive measures available in relation to the crisis in Afghanistan. As noted above, these enquiries were initially received by internal stakeholders and forwarded through Microsoft Outlook to the “Situation Afghanistan” mailbox. IRCC reported that the CSC normally processed inquiries received by the department online (through a web form); however, in this case, the CSC was unable to transfer and process the forwarded emails using the same technology tools, and instead, sent the responses by email.
- The content of the four emails was the same and provided information on the supportive measures and services that were available to individuals affected by the situation in Afghanistan, including those that remained inside Afghanistan with a connection to Canada,Footnote 4 individuals that were outside Afghanistan, and individuals that were in Canada at the time. The emails included links to the services available and descriptions of special measures that may apply based on an individual’s circumstances.
- However, the employee who prepared the four emails inadvertently included the individuals’ email addresses in the “TO” field, instead of the “BCC” field, thereby disclosing the email addresses to everyone addressed in each of the four emails.
- The personal information at issue included the affected individuals’ email addresses, and in certain cases, a thumbnail photograph associated with their email account.Footnote 5 The context of the email (i.e., that the individuals contacted IRCC about Afghanistan supportive measures) was also disclosed.
- IRCC learned of the breach after being contacted by two individuals who had received one of the emails in question regarding Canada’s supportive measures available to Afghan nationals.
Issue 1: The disclosures were not for a permissible purpose and therefore contravened section 8
- Given that the individuals’ email addresses were included in the “TO” field, instead of the “BCC” field, everyone who received the email message could also view the entire email recipient list (which included in certain cases, the thumbnail photograph or name associated with an email address). This represented a disclosure of all individuals on the respective emails who had contacted IRCC in the context of seeking information about supportive measures.
- Subsection 8(1) of the Act states that personal information can only be disclosed with an individual’s consent or in accordance with the provisions of subsection 8(2) of the Act, which permits disclosures without consent for a range of specified purposes. As none of the circumstances in subsection 8(2) would apply to accidental disclosures to unintended recipients, we determined that IRCC disclosed personal information in contravention of section 8 of the Act, and the complaint is therefore well-founded.
Issue 2: IRCC’s measures in place to prevent such disclosures were insufficient
- The Act is silent about what measures institutions should take to prevent inappropriate disclosures of personal information under section 8. However, in our view, an institution has an obligation to take reasonable measures which are appropriate to the sensitivity of the information and the likelihood of misuse (if a disclosure did occur). This expectation is aligned with the guiding principles found in Treasury Board Secretariat’s (“TBS”) Framework for the Management of Risks,Footnote 6 which assesses and identifies the risk impacts to an institution through a privacy lens, and other privacy breach management tools created to assist in evaluating the impact of a breach, including the ATIP Privacy Breach Risk Impact Instrument.Footnote 7
- In this case, the information disclosed can be categorized as highly sensitive. The information could reveal that individuals connected with the email addresses (some of which included an individual’s name and/or associated image), including individuals still in Afghanistan at the time, had contacted IRCC seeking emergency assistance. The fact that these individuals had contacted the department revealed that they had potential connections to Canada’s former presence in Afghanistan and were seeking refuge from feared reprisals (including persecution) by the Taliban.
- In general, the identities of individuals seeking emergency assistance from IRCC in the context of a politically-related humanitarian crisis are likely to be sensitive, as individuals in such situations can reasonably be assumed to fear persecution (hence, why they are reaching out to IRCC).
- Where information is disclosed to a large number of individuals, including to individuals whose identities are not known (as was the case in this email breach), the likelihood of misuse increases, as the motivations of all the individuals, and any others with whom the original recipients might share the information, cannot be determined. In this case, the potential for misuse and the associated risks were serious and potentially life-threatening. It would only be necessary for a malicious actor to see one of the emails in question to obtain information relating to 100-200 individuals potentially seeking refuge from the crisis situation in Afghanistan.
- Given the highly sensitive nature of this type of information and the potential for misuse that arises from a ‘mass-email’ breach of this nature, we examined the measures that IRCC had in place for ensuring the protection of personal information when communicating with individuals seeking information about emergency measures. As a result, we expected that, given the privacy and security risks, IRCC would have robust protections in place to mitigate the risk of accidental disclosures in the context of communicating with individuals who are likely to fear persecution. These protections should include breach prevention efforts and security safeguard measures, including, but not limited to: (i) appropriate security procedures, (ii) training on those procedures, and (iii) checks to promote compliance with those procedures.
- In this case, we found that IRCC had insufficient procedural controls in place to mitigate the risk of accidental disclosures of inherently sensitive personal information when sending mass emails of this nature, including no oversight or compliance monitoring to ensure the necessary due diligence in protecting individuals’ personal information.
- We found that IRCC’s procedure for sending mass emails was detailed in a “Job Aid”, which included step-by-step instructions to minimize the risk of human error when sending mass emails. While the procedure included instructions to paste email recipients in the “BCC” field, there was no oversight to ensure that the procedure was followed. The procedure also did not include an established limit for the number of recipients that could be included in a mass mailout of this nature, or any compliance verification to ensure that the procedure was being followed. As noted previously, in this matter IRCC was alerted to the breach not by internal staff, but by affected email recipients.
- Since the breach, IRCC has revised its internal procedure for mass emails and taken the following steps to improve its security safeguards and mitigate the risk of future accidental disclosures of this nature: (i) only those employees approved to send mass emails on behalf of the department are granted access by the IT department to IRCC’s “do not reply” email address; (ii) the new procedure limits the number of individuals per email response to 25 and integrates a verification procedure – all mass mailouts must first be verified by the employee’s manager before they can be sent; and (iii) an updated, step-by-step, visual Job Aid was shared with the employees responsible for completing these tasks.
- IRCC also implemented a new “Special Measures” web form on its website for individuals to contact IRCC about Afghanistan immigration measures.Footnote 8 The web form is an enquiry tool that eliminates the need for individuals to send emails from a personal email account to the “Situation Afghanistan” mailbox. Rather, individuals answer the web form questions so that IRCC can better understand their situation and direct the request/enquiry to the appropriate stakeholder for response.Footnote 9 According to IRCC, the web form streamlines intake, triage and processing of client enquiries related to Afghanistan. IRCC was working to implement the web form prior to the breach, and it went live on October 18, 2021 (the same day as the privacy breach).
- IRCC had also indicated that it was evaluating a potential technological software solution which may mitigate users from misdirecting email correspondences.
- According to IRCC, the employee responsible for the breach had the necessary tools and training to be able to process mass mailouts of this nature, including access to the Job Aid. Following the breach, IRCC reported that the employee was informed of the serious impact of their actions, and the responsibility of responding to these types of enquiries was immediately reassigned to another individual within the unit. The employee was also required to attend departmental training to increase privacy knowledge.Footnote 10
- IRCC confirmed that all employees in that unit were met by their manager in group meetings in the days following the breach (between October 22 and 27, 2021) to remind employees of the importance of privacy in their daily tasks. Those employees have all completed the training course: “Protecting and Giving Access to Information at CIC”.Footnote 11 In addition, IRCC communicated several privacy reminders to its employees following the breach, which referenced the tools, resources and learning opportunities available to IRCC employees to ensure the safeguarding of personal information.
- In our view, these are positive mitigation measures which are now embedded in IRCC’s procedures and training.Footnote 12 We also found that IRCC’s implementation of a new “Special Measures” web form to streamline the processing of ‘Afghanistan client enquiries’ is a positive mitigation step; however, we noted that this measure cannot completely eliminate the possibility of individuals contacting the department from their personal email account, which is what happened in this case. This underscores the importance of having comprehensive procedures and training in place, and to ensure that IRCC can effectively manage a potential similar situation in the future.
- Notwithstanding the positive measures taken above, and as IRCC had indicated as their intent (see paragraph 21), we recommended that IRCC explore and secure additional technological security measures to reduce the risk of inappropriate disclosures of personal information in the context of bulk communications.
Issue 3: IRCC’s response to mitigate the impact on affected individuals was adequate
- The Directive on Privacy PracticesFootnote 13 – subsection 6.1.2 – makes heads of government institutions or their delegates responsible for establishing a plan for addressing privacy breaches within their institution. Further, section 4 of the TBS Guidelines for Privacy BreachesFootnote 14 strongly recommends, to the extent possible, that institutions notify all affected individuals “as soon as possible following a breach to allow individuals to take actions to protect themselves against, or mitigate the damage from, […] other possible harm”.
- IRCC’s Privacy Breach Guidelines include procedures for responding to privacy breaches. The Guidelines state that upon discovery of a suspected privacy breach, immediate steps must be taken to contain the breach, and the ATIP Division must be notified within 48 hours so that a risk assessment can be conducted. The Guidelines also require IRCC to notify affected individuals as soon as possible by sending a letter of apology.
- We would expect an institution to take reasonable steps to mitigate potential risks of harm resulting from a contravention of the Act. In this case, IRCC demonstrated that upon being alerted to the breach by two individual recipients of the emails, prompt action was taken to assess the risks and take mitigation measures.
- IRCC had limited information about the email recipients, which made it difficult to assess both the risk of misuse and the sensitivity of the information for each individual. Nevertheless, IRCC’s risk analysis included an analysis of the email addresses disclosed in the breach (with a view to determining the country or region of individuals affectedFootnote 15), and an analysis of whether IRCC records could be linked to those email addresses. The inability to fully assess the likelihood of the emails being shared in the public domain was a key consideration in IRCC’s analysis.
- IRCC’s review determined that the majority of the email addresses were not affiliated with an open application or record with IRCC. However, IRCC reported that 21 individuals were confirmed to have a record or current application with IRCC, and prompt action was taken in line with the facilitative measures put in place to support those affected by the crisis in Afghanistan.Footnote 16 Of those 21 individuals, IRCC contacted 7 individuals who appeared to be residing in Afghanistan at the time. IRCC reported that most of those individuals were at the admissibility stage of processing, some had already left Afghanistan and one individual had arrived in Canada. Beyond the facilitative measures in place to support those affected by the crisis, IRCC stated that it could not offer any further direct protection to individuals who may have still been in Afghanistan at that time given IRCC no longer had a presence in Afghanistan.
- On October 22, 2021, four days after the breach, IRCC notified all individuals affected by the breach. This alerted the individuals to the incident so that they could take steps to assess the risk of impact (i.e., risk to personal safety). The notification also highlighted potential risks that the recipients might not have considered, such as the risk of individuals using the email list and misrepresenting themselves as the Government of Canada, and provided advice and information on the format of the Government of Canada’s email and on ways to recognize phishing emails or calls. The notification included a designated IRCC telephone number for crisis situations and invited affected individuals to contact IRCC by phone (collect calls accepted) should they have any questions regarding the breach, or other communications received claiming to be from the Government of Canada or IRCC. IRCC also requested that individuals delete all copies of the email received in order to protect the privacy of the other individuals affected.
- IRCC reported that the CSC monitored incoming calls and emails to identify any that may have been related to the breach. Employees in the CSC were provided guidance on how to respond to breach-related calls and instructed to flag any calls to management if received. IRCC indicated that it did not receive any calls about the breach through the crisis telephone number.
- Given the crisis in Afghanistan and the highly sensitive context in which these individuals had contacted IRCC, it was, in our view, crucial that IRCC notify individuals of the breach as soon as reasonably possible, which it did in this case. In our view, this is an important practice when a breach of sensitive information occurs, and a key mitigation strategy to lessen any damage and negative impacts from the breach.
- Notwithstanding the positive remedial actions taken by IRCC in response to the breach which were reasonable and immediate, this breach created a risk of significant harm to more than 600 individuals who may have feared reprisals from the Taliban and were seeking emergency assistance and protection from the Government of Canada. This risk cannot be fully eliminated after a breach. As a result, we noted that it is imperative for IRCC to strengthen its prevention mechanisms to ensure a similar incident does not occur.
- Given the highly sensitive nature of the information and the potential ramifications for individuals’ personal safety in the case of a breach, we underscored to IRCC that they must: (i) have robust protections and procedures in place as part of its security architecture to ensure that a human error does not automatically result in a breach, and (ii) continuously assess its prevention mechanisms to mitigate the risk of an accidental disclosure.
Findings and Recommendations
- Given that the disclosures of personal information in this case were done erroneously, without an appropriate purpose, we found IRCC to be in contravention of the disclosure provisions of section 8 of Act and the complaint to be well-founded.
- Our review found that IRCC took reasonable measures following the breach, including: revising and updating its internal procedures for sending mass emails, training and instituting a secure webform for all future similar enquiries. We also found that IRCC used important mitigation strategies to lessen the impact of the breach on affected individuals, including notifying affected individuals and requesting that all copies of the emails received by recipients be deleted.
- However, we also noted that IRCC cannot effectively mitigate all potential negative impacts of this breach on affected individuals. Given the highly sensitive nature of such communications, prevention of future similar breaches is key. The significance of a breach of this nature and the potential ramifications for the individuals impacted should be reflected in IRCC’s breach prevention efforts. We were encouraged by IRCC’s recognition that greater staff awareness is an essential element to prevention, and its stated intent to continue exploring technology tools to mitigate the risk of human error when sharing inherently sensitive personal information electronically.
- In light of the above, to resolve this matter, we asked that IRCC commit to providing our Office with an update by March 3, 2023, outlining the further technological measures that it has secured and implemented to mitigate the risk of misdirected email correspondence.
- IRCC fully accepted our recommendation and has committed to providing a fulsome update on these measures by March 3, 2023. In the interim, IRCC has shared with our Office certain additional technological and procedural measures it has taken to date to prevent future similar breaches, as outlined below:
- IRCC reported that a software solution has been recommended for implementation to mitigate users from misdirecting email correspondences (see paragraph 21);
- IRCC indicated that it has leveraged the lessons learned from this breach to develop a strategy to prevent the circumvention of existing procedures in the face of a crisis situation. IRCC’s strategy includes consideration for providing access as soon as possible to the relevant tools needed to manage enquiries (i.e., special measures web forms for clients, and capacity for CSC agents to manage these enquiries via the email management system (and not a standard Outlook mailbox). IRCC also noted that it is considering technology solutions to manage the enquiries it may receive when a crisis arises and before these secure tools may be available, including a solution that would allow the bulk processing of emails to each email recipient successively (instead of one email to multiple recipients);
- Lastly, IRCC reported that it is also developing new tools to assist employees in fulfilling their privacy obligations, and to empower employees through training and awareness to identify, evaluate and mitigate privacy risks. IRCC stated that its “aim is to have privacy as the default so that robust protections are in place before personal information is collected or used”.
- In our view, the above additional measures will significantly enhance IRCC’s breach prevention efforts.
- In light of the above, we therefore consider the complaint to be well-founded and conditionally resolved.
- One of the most common causes of data breaches reported to our Office relates to the sending of personal information to unintended recipients, including the unintended disclosure of personal information when sending information to groups electronically (i.e., using the “TO” field, instead of the “BCC” field).Footnote 17 While email may be an efficient and often preferred method of communication, there are inherent risks when sending information electronically, and in many cases, human error is involved.
- Our recent Annual Report to Parliament highlighted that 93% of the breach reports received by our office in 2021-22 involved human error, which further highlights the need for organizations to implement appropriate safeguards and to strengthen privacy awareness to ensure employees are aware of policies, procedures and legal responsibilities under the Act. This is an essential part of ensuring that organizations remain accountable for the personal information they collect, use and disclose.Footnote 18
- In this case, the breach was not the result of human error in isolation. IRCC adapted its processes to respond more efficiently to the volume of requests related to the crisis situation in Afghanistan, and in doing so, failed in our view to fully recognize or proactively manage the risks relating to how it communicated with these individuals. This highlights the importance of ensuring that adequate administrative controls and procedures are in place to reduce the risk of accidental disclosures when sending information electronically – particularly if the personal information is inherently sensitive and could pose potentially significant risks to the safety and well-being of individuals if disclosed in error.
- Given IRCC’s mandate, employees have access to a high volume of sensitive personal information which can equate to high risk should the personal information be disclosed in error. It is important that employees are knowledgeable about the requirements of the Act when handling personal information. It is also crucial that employees are aware of the potential risk for harm to the safety and security of at-risk individuals who may be seeking emergency assistance from the government. Therefore, consistently assessing the risks presented to individuals from contraventions or potential contraventions of the Act is an important foundational step in properly remediating the risks to individuals.
- Finally, we would like to express our appreciation to IRCC for its open and collaborative engagement with our Office during this investigation. IRCC’s evident commitment to improve the department’s security architecture with robust protections and procedures should ensure greater accountability for the protection of client privacy rights.
IRCC committed to implementing the corrective actions recommended in the Report of Findings. Based on the information we received from IRCC, we were satisfied with IRCC’s actions to implement the recommendations. We now consider this matter closed.
- Date modified: