Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Online contest database hacked

Incident Summary #9

Incident

A commercial organization was running an online contest open to the Canadian public. Entrants had to provide the organization with certain elements of personal information, including name, address, date of birth, sex, number of children, email address and contest password (but no financial information). The information was kept in a database hosted by a third-party service provider.

Abnormal activity in the database was noticed by the commercial organization. Quickly afterwards, the point of entry suspected to have been used by hackers to access the database was closed. The technical issue was then addressed and law enforcement as well as privacy commissioners with oversight over the private sector were notified. After the initial suspicions were confirmed, the commercial organization engaged the services of an independent cyber forensics investigator, who determined that the database had in fact been hacked. The organization then sent a formal notification to approximately 70,000 individuals affected by the hack. In its discussions with our Office, the organization reported that the breach resulted from security flaws on the part of the third-party service provider hosting the organization's database.

Outcome

After notifying our Office of the incident and engaging us in discussions, the organization introduced several changes to its practices in order to prevent a recurrence. Specifically, it:

  • advised that it would no longer collect dates of birth from customers for marketing purposes;
  • adopted a new policy whereby its legal department would be consulted before starting any online initiative involving a third party, which would include a detailed review and report produced in collaboration with the security team to authorize or refuse the initiative; 
  • implemented strict penalties for non-compliance with the policy (up to termination of employment);
  • added a definition of sensitive information to its policy, which included an individual’s date of birth; and
  • scheduled an employee privacy training session, where all employees from the marketing team would be required to attend.

Final Comment

Our Office is satisfied with the actions taken by the company in response to the breach as well as with the number of organizational safeguards that were implemented in order to prevent a recurrence, largely as a direct result of our Office’s involvement.

Date modified: