Multiple breach incidents as a result of password reuse

Incident case summary #2017-001

Various dates in 2017

---

Incidents

In 2017, the Office of the Privacy Commissioner of Canada received several breach reports from companies that suspected their systems had been accessed by unauthorized third parties using valid customer or employee login data. It is believed the unauthorized third parties obtained the login data from previous, unrelated breaches that resulted in usernames and passwords being published online.

Below is a summary of some of these breach incidents reported to our Office in 2017.

Incident #1 – Airline receives ransom demand after customers’ personal information disclosed online

An airline contacted our Office to report that an unknown third party had obtained access to its loyalty website and the profile information of approximately 25,000 of its loyalty program customers, all of whom were Canadian. The airline was contacted by the third party, who showed that it had posted the personal information of approximately 10% of the affected customers online. The third party also threatened to disclose the personal information of additional customers if the airline did not make payment to the third party.

After becoming aware of the incident, the airline:

• Contacted our office and our provincial counterparts in the relevant jurisdictions;
• Contacted the RCMP and their provincial counterparts in the relevant jurisdictions;
• Engaged external cybersecurity experts;
• Reset all affected passwords and reminded customers to change their passwords regularly;
• Issued a take-down notice to the website where the customers’ personal information had been disclosed;
• Introduced enhanced controls to mitigate the risk of recurrence;
• Retained external legal counsel to ensure that all statutory privacy obligations were met; and
• Issued a news release for the public and communicated internally with employees regarding the incident.

Following an internal investigation of the incident, the airline reported to our office that its internal systems had not been compromised and that it appeared that the third party had accessed its customers’ profile information using valid login credentials for each customer. The airline therefore surmised that the third party had purchased a list of stolen email addresses and passwords from an external source in the hopes that individuals had reused their passwords on multiple sites. According to the airline, where one of its customers had reused a previously stolen password, the third party was able to gain access to the customer’s account with the airline.

Incident #2 – Retailer – password reuse compromises the personal information of over 100,000 members

A retailer contacted our office to report that an unknown third party had been able to obtain the customer account information of over 300 of its loyalty members. After a post-incident analysis of the breach, the retailer updated the number of affected members to over 100,000.

Outcome

After becoming aware of the incident, the retailer:

• Alerted our office of the breach of customers’ personal information;
• Conducted an investigation to determine the incident’s scope and to reduce the risk of any recurrence;
• Notified all affected individuals;
• Introduced enhanced controls to mitigate recurrence risk;
• Shared pertinent threat information with peer organizations to help thwart the broader threat campaign believed to be occurring; and
• Posted an updated message to customers on the login page of its website indicating best practices for choosing passwords.

Following an internal investigation of the incident, the retailer reported to our office that its safeguards had not been breached, but that an unknown third party or parties had been able to access the account information using its customers’ login information (email addresses and passwords), which the retailer believed were obtained from external sources linked to previous privacy breaches in other organizations and other sources unrelated to the retailer.

Incident #3 – Digital media company notices unusual activity in rewards program accounts of its members

A digital media company reported seeing unusual behavior on a few dozen user accounts of its rewards program, where reward points were redeemed. Even though these accounts were logged into using valid usernames and passwords, the company noted that much of the unusual activity originated from a single IP address. As a result, the company believed the login credentials were obtained from other large data breaches. It believed the specific personal information lost as a result of the unauthorized access to its users’ accounts may have included members’ name, rewards points total and date of birth.

Outcome

After becoming aware of the incident, the company:

• Forced password changes and reinstated the points in the accounts that were accessed;
• Notified other members to change their passwords;
• Notified relevant law enforcement authorities;
• Considered changes to password creation processes to encourage individuals not to reuse passwords or not to use common or overly simple passwords;
• Communicated with other organizations about this breach in the event of further breach and security issues (such as password reuse and identifying information obtained in other breaches).

Final comments

Overall, our office considered each organization’s response to each incident appropriate.

Our office was satisfied with the actions taken by each company in response to the breaches, as well as with the number of organizational safeguards implemented in order to prevent a recurrence. Each organization demonstrated that it had taken positive steps to mitigate both risks to individuals and risks of recurrence of similar incidents.

Our office strongly encourages other organizations subject to PIPEDA to implement similar processes to prevent unauthorized access to their customers’ accounts that can result from password reuse.