Since November 1st, 2018, The Office of the Privacy Commissioner of Canada has received 680 security breach reports, which is six times the volume received during the same period one year earlier.

According to the The Office of the Privacy Commissioner of Canada's report, the Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect Nov. 1st, 2018. Organizations subject to PIPEDA are required to report any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals. They also need to notify affected individuals about those breaches, and keep records of all data breaches within the organization. Previously, data breach reporting was done on a voluntarily basis.

"Since reporting became mandatory, we’ve seen the number of data breach reports skyrocket. Some of those reports have involved well-known corporate names, but we have also seen significant volumes coming from small- and medium-sized businesses," says a blog post. 

According to the blog, the number of Canadians affected by a data breach is more than 28 million, including some of the huge breaches that have made the headlines – Desjardins and Capital One, for example. The majority of reported breaches – 58 percent – involved unauthorized access.

"We have seen a significant rise in reports of breaches affecting a small number of individuals – often just one and sometimes through a targeted, personalized attack.  This is the correct approach to reporting: there can be risk of significant harm even when only one person is affected by an incident," notes the blog. 

Additional findings include:

  • roughly one in four of the incidents reported involved social engineering attacks such as phishing and impersonation. 
  • More than one in five data breaches reported over the past year involved accidental disclosure, including situations where documents containing personal information are provided to the wrong individual (for example, because an incorrect email or postal address was used, or an email was sent without blind copying recipients) or are left behind accidentally.
  • Situations where information may have been disclosed due to the loss of a computer, storage drive or actual paper files accounted for 12 percent of the breach reports.
  • Theft of documents, computers or computer components, which led to a data breach, accounted for 8 percent of the breach reports.