Massive Facebook data breach affecting millions of Canadians was not reported to federal privacy watchdog
Anja Karadeglija 2021-04-06
The federal privacy commissioner’s office hasn’t heard from Facebook regarding a massive global data leak that looks to have included 3.49 million Canadian accounts, and is “actively following up with the company,” according to a spokesperson.
Provided by National Post Federal Privacy Commissioner Daniel Therrien.
Over the weekend, a cybersecurity expert revealed that data relating to 533 million Facebook accounts worldwide had been leaked online. Alon Gal, the chief technology officer of cybersecurity company Hudson Rock, said the leaked database includes information about users’ phone numbers, past and current locations, birthdates, relationship statuses, bios and, in some cases, email addresses.
Gal said 3.49 million Facebook users in Canada were affected. Canada’s privacy law requires organizations to report breaches to the federal privacy commissioner, and notify affected individuals, for breaches “involving personal information that pose a real risk of significant harm to individuals.”
A Facebook spokesperson said in an email that “this is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.” According to Gal, the data came from a vulnerability that was exploited in early 2020.
“It sounds like it’s the recurrence of an earlier leak, in that this is a copy of data that was part of an earlier data breach” and that information has now been “up and posted on the dark web,” Teresa Scassa, the Canada research chair in information law and policy at the University of Ottawa, said in an interview.
Facebook did not answer questions about how many Canadian accounts were involved, and refused to say whether it considers the leak to fall under mandatory breach reporting rules.
Over the weekend, a cybersecurity expert revealed that data relating to 533 million Facebook accounts worldwide had been leaked online. Alon Gal, the chief technology officer of cybersecurity company Hudson Rock, said the leaked database includes information about users’ phone numbers, past and current locations, birthdates, relationship statuses, bios and, in some cases, email addresses.
Gal said 3.49 million Facebook users in Canada were affected. Canada’s privacy law requires organizations to report breaches to the federal privacy commissioner, and notify affected individuals, for breaches “involving personal information that pose a real risk of significant harm to individuals.”
A Facebook spokesperson said in an email that “this is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.” According to Gal, the data came from a vulnerability that was exploited in early 2020.
“It sounds like it’s the recurrence of an earlier leak, in that this is a copy of data that was part of an earlier data breach” and that information has now been “up and posted on the dark web,” Teresa Scassa, the Canada research chair in information law and policy at the University of Ottawa, said in an interview.
Facebook did not answer questions about how many Canadian accounts were involved, and refused to say whether it considers the leak to fall under mandatory breach reporting rules.
The state of big tech regulation in Canada, from privacy to tax policy
The Liberal government has come under some criticism for dragging its feet on legislation it tabled in the fall to strengthen and reform its private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Bill C-11 would give new powers to the privacy commissioner, create a new administrative tribunal that can levy fines, and “significantly increase protections to Canadians’ personal information by giving Canadians more control and greater transparency when companies handle their personal information,” the government said when the legislation was announced.
“The government’s decision to introduce Bill C-11 and then allow it to languish in the House of Commons without even engaging in debate or committee study is incredibly disappointing,” Michael Geist, professor and Canada research chair in Internet and e-commerce law at the University of Ottawa, said in an email.
Geist has argued the government has prioritized legislation like the Broadcasting Act update in Bill C-10 over its privacy reform in C-11. Both were introduced at the same time in November, but the privacy bill is still in its first reading, while the broadcasting bill is in its second reading and has been under study at the Heritage committee since February.
Geist said that despite “claims of prioritizing privacy, the government has demonstrated little interest in improving Canada’s privacy laws since introducing a bill without more is privacy theatre, not privacy protection.”
Asked about those criticisms, a spokesperson for Innovation Minister François-Philippe Champagne stated the government is “committed to ensuring that Canadians’ personal information is safe and secure and that their privacy is respected in these digital spaces.”
Communications director Louis Hamann said in an email that “Bill C-11, should it be passed into law, will provide world-class privacy and data protection for Canadians.”
Scassa said in an interview that for years, there was frustration with PIPEDA and calls for its reform, and then a “long wait” for the bill to be introduced. Once it was tabled, the bill hasn’t moved as quickly as some observers thought it would, Scassa said, though she noted it’s a piece of legislation won’t be easy to pass without a lot of debate and discussion regardless.
She added that there are concerns that “if we’re looking at an election in the reasonably short term that the bill won’t get through before the election.”
Meanwhile, data breaches involving Canadians’ information have continued to occur. In 2019-2020, the privacy commissioner’s office received 678 breach reports, which affected an estimated 30 million Canadian accounts.
“I think that’s the challenge, that these things continue to happen and they seem to be happening on an even bigger scale all the time. And we look to legislation to protect us and the legislation is out of date and not keeping pace,” Scassa said. “And the government just doesn’t seem to be able to get it together to get privacy reform done, so it’s enormously frustrating.”