The federal privacy watchdog says a data breach at a contractor for Canada’s border agency involved as many as 1.38 million licence plate images and associated information.
In a report detailing its investigation, the privacy commissioner’s office cites inconsistencies in the way the Canada Border Services Agency managed licence plate information and a lack of security measures.
It highlights the absence of adequate contractual clauses to ensure the border agency’s private-sector partner was properly protecting the information.
The report, though completed in May, was tabled Thursday in Parliament as part of privacy commissioner Philippe Dufresne’s annual report.
The watchdog initiated a complaint and began its probe following 2019 media reports of a cyberattack on a U.S.-based third-party contractor used by both the Canadian border agency and its American counterpart.
At the time, Canada’s border agency told the privacy commissioner the breach included approximately 9,000 photos of licence plates collected from travellers entering Canada at the Cornwall, Ont., border crossing.
The investigation revealed the number of Canadian border agency licence plate image files compromised in the breach was much higher — up to 1.38 million, including duplicates.
The report says that of those, about 11,000 were posted on the dark web — the shadowy, underground reaches of the internet.
It also found the image files included metadata containing the relevant province or state associated with the licence plate, the date and time the image was taken, and the numerical code representing the border crossing site along with lane number.
The border agency told the commissioner it did not consider the licence plate images to be personal information. However, the report says, the agency’s assessment did not take into account the associated metadata revealing time, date and location.
The privacy watchdog found the files did amount to personal information under the Privacy Act for some individuals.
Although some personal details — for example, medical records and financial data — are almost always considered to be sensitive, any personal information can be sensitive, depending on the context, the report says.
“This investigation highlights the value of program, contracting and privacy specialists working together to assess if the information being collected in the delivery of programs and services is considered personal information and to develop contracts with appropriate privacy clauses to protect it.”
The commissioner’s office ultimately concluded its self-initiated complaint was well-founded, as the border agency contravened provisions of the privacy law concerning disclosure of information.
The office recommended the border agency review its contract with the service provider to make it clear that licence plate image files constitute personal information and therefore require “appropriate safeguards for storage, use, access and destruction.”
The commissioner says an important lesson in the case is that privacy obligations apply whether the data is processed by a government agency or a contracted third party acting on its behalf.
The commissioner considers the complaint to be resolved based on the border agency’s response to the probe and acceptance of the recommendations.
—Jim Bronskill, The Canadian Press