On October 13, 2020, the Office of the Privacy Commissioner of Canada (the OPC) announced it had launched investigations into recent cyber security incidents targeting Government of Canada organizations including the Canada Revenue Agency (as reported previously by the E-TIPS® Newsletter here).
The OPC opened two investigations addressing the security incidents. One will focus on cyberattacks on the GCKey, an electronic credential issued by the Canadian government to provide users access to online services, while the other will probe the cyberattacks on Canada Revenue Agency accounts.
The security incidents used a tactic called "credential stuffing", whereby cyberattackers use passwords and usernames from previous cyberattacks in an attempt to see whether individuals used the same username and password combinations for other accounts.
The investigations circle around whether the government institutions who fell victim to the security incidents met their obligations under the Privacy Act, Canada's public sector privacy law.
Summary By: Hashim Ghazi
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.