News release

Investigations highlight need for stronger measures to protect privacy at federal departments and agencies

Gatineau, QC, February 15, 2024 – Two separate investigations into the personal information handling practices of federal government departments and agencies underscore the need for stronger security safeguards and increased due diligence to better protect the privacy of Canadians.  

In two Special Reports to Parliament that were tabled today, the Privacy Commissioner of Canada (OPC) released his findings in a pair of investigations:

• A major privacy breach at Employment and Social Development Canada (ESDC) and the Canada Revenue Agency (CRA) involving vast amounts of sensitive personal information; and
• The Royal Canadian Mounted Police (RCMP)’s use of private-sector surveillance and monitoring services in law enforcement.

GCKey and CRA cyber-breach

The OPC investigated a cyber breach at the CRA and ESDC that took place from July to August 2020, allowing hackers to fraudulently access government services and apply for or redirect payments to themselves. The attack compromised the sensitive financial, banking, and employment data of tens of thousands of Canadians, leading to numerous cases of fraud and identity theft – including a high volume of fraudulent applications for COVID-19 Emergency Response Benefits (CERB). In the wake of the breach, CRA and ESDC notified affected individuals and worked with them to reverse fraudulent changes, offered credit monitoring services, and helped them to clear their names. 

The OPC’s breach investigation concluded that attackers were able to exploit weaknesses in security safeguards at ESDC and the CRA.

Among other things, the Report of Findings details how attackers used the CRA’s sign-in portal and ESDC’s “GCKey” authentication service to infiltrate online services by using stolen credentials (such as login information and passwords) from previous breaches – a technique known as credential stuffing. The attackers used these stolen credentials to access, modify, and create new online accounts of these stolen identities, which resulted in a range of negative impacts on individuals including financial hardship, damage to credit scores, invasion of privacy and emotional distress.

“Federal government departments and agencies are attractive targets for cyberattacks and must have robust safeguards to mitigate against breaches and protect the sensitive personal information and programs that they manage,” said Privacy Commissioner Philippe Dufresne. “If a breach does occur, it is crucial that organizations act promptly to remedy the situation and prevent further damage to those affected.”

The OPC found that both organizations had under-assessed the level of identity authentication that was warranted for these online services given the sensitivity of personal information that is involved. Moreover, ESDC and CRA had not taken the necessary steps to promptly detect and contain the breach, due in part to inadequate security assessments and testing of its authentication and credential management systems, and limited accountability and information sharing between departments.

Both organizations have agreed to implement the OPC’s recommendations, which include, improving communications and decision-making frameworks to facilitate a rapid response to attacks, and developing comprehensive incident-response processes to prevent, detect, contain, and mitigate future breaches, including by conducting regular security assessments.

RCMP Project Wide Awake

The OPC investigated the RCMP’s Project Wide Awake, which involves the use of third-party service providers to collect personal information from a range of sources, including social media, the dark web, location-based services, and fee-for-access private databases.

In its investigation, the OPC concluded that the RCMP must improve its processes when assessing private-sector surveillance and monitoring services before acquiring them. Similar concerns were raised in a previous OPC investigation involving the RCMP’s use of Clearview AI’s facial recognition technology.

Of particular concern was the RCMP’s contract with U.S. company Babel Street for its Babel X service. The investigation found that the RCMP did not take the necessary steps to ensure that the company’s collection of personal information complied with Canadian privacy laws.

“Policing is important and complex work that requires effective tools for today’s digital environment,” Commissioner Dufresne said. “Rigorous vetting of privacy impactful third-party services is essential to ensure that the fundamental right to privacy is respected.”

The OPC recommended that the RCMP conduct comprehensive assessments to get a reasonable level of assurance that its third-party services are compliant with relevant privacy laws. It also recommended that the RCMP be more transparent with Canadians about its collection of personal information from open-source intelligence gathering, and about the purposes for which the different types of information collected may be used.

At the conclusion of the investigation, the RCMP had not committed to implementing the OPC’s recommendations.

Further reading:

• Investigation of unauthorized disclosures and modifications of personal information held by Canada Revenue Agency and Employment and Social Development Canada resulting from cyber attacks – Special report to Parliament
• Investigation of the RCMP’s collection of open-source information under Project Wide Awake – Special report to Parliament

For more information

Office of the Privacy Commissioner of Canada
communications@priv.gc.ca