Recent Breach

Cases of the OPC Malcolm Townsend,

IT Research Analyst, CISSP

Overview

• Background

• OPC Mandate

• Current Trends

• Privacy Breach Cases

• Lessons Learned

• How to prepare for a privacy breach

Background

• My role at the OPC

• Privacy Breaches – often have technological component

• Examples encountered at the OPC include

Websites, applications

lost/stolen mobile devices

unencrypted portable devices and

unpatched systems

OPC Mandate

• Oversight

Investigates complaints under the Privacy Act (Federal Government) and PIPEDA (Private Sector)

Negotiates and persuades to find solutions

Makes recommendations based on findings

• Public Education/Guidance

The 10 Privacy Principles

1. Accountability

2. Identifying Purposes

3. Consent

4. Limiting Collection

5. Limiting Use, Disclosure and Retention

6. Accuracy

7. Safeguards

8. Openness

9. Individual Access

10.Challenging Compliance

Current Trends• 63% of data breaches –weak,

default or stolen passwords

• 30% of people open phishing messages—12% click on attachments

• 83% of compromises took weeks or longer to discover

• 75% of breaches are detected by someone else

• 85% of exploits come from top 10 vulnerabilities

Current Trends

Entries DatabaseHashing

AlgorithmCategory Dump date

58, 848, 308 ModBSolutions.

com

No passwords Business 2016-10

11, 872 NewMiniClub.nl MD5(phpBB3) Agriculture 2016-10

1, 922 NVPC.nl Plaintext Plastic

Surgery

2016-10

Current Trends

2016 Cost of Data Breach Study: Canada

Average cost per stolen record: 278 CA$

Average cost of data breach: 6.03 M CA$

Mean time to detect and contain an incident: 239 days

Some cases

ESDC Hard drive (Privacy Act)

• Safeguards

– Physical

– Policies

– Technical

– Administrative

• Data Disclosed

Location of Ashley Madison Users

Investigative Team

• Joint Investigation between Australia and Canada

• Multidisciplinary team:Investigators

Lawyers

Technical Analysts

Timeline

?

Attacker Initial Access

12 July 2015

ALM detects Breach

20 July 2015

ALM reports breach to OPC

18 and 20 Aug. 2015

Stolen info published on Web

21 Aug. 2015

Commissioner Initiated

Complaint (CIC)

22 Aug. 2016

OPC-OAIC Final Report

2017

Compliance Agreement

Consent and

transparency

Findings -Safeguards

ALM’s security was lacking the following key elements:

appropriate safeguards in the circumstances;

a coherent and adequate governance framework;

an explicit risk management process;

properly documented information security policies or practices; and

adequate staff training

Findings – Other principles

• Retention

• Accuracy

• Consent and transparency

Case( 2014-004)- Data Processor

Privacy Breach Lessons Learned

–Improve Safeguards

Safeguards Lessons Learned- Use Industry

Best Practices

TOP 5 out of 20 CIS Controls

*https://www.cisecurity.org/critical-controls.cfm

OWASP ToP 10 (2013)

A1 Injection

A2 Broken Authentication

and Session Management

A3 Cross-Site Scripting (XSS)

A4 Insecure Direct Object References

A5 Security Misconfiguration

A6 Sensitive Data Exposure

OWASP ToP 10 (2013)

A7 Missing Function Level Access Control

A8 Cross-Site Request Forgery (CSRF)

A9 Using Components with Known

Vulnerabilities

A10 UnvalidatedRedirects and

Forwards

How to Prepare For a Privacy Breach

• You need a Breach Response Plan

• Think about your team (insource or outsource) and its leader

• Train your staff

• Review data retention and destruction policies

• Review security policies

• Know the law

Key factors that should alert

organizations of greater risk of a breachUniversal

• Organizations in same sectors where breaches have been reported

• Vulnerabilities that are being exploited in software packages, applications or tools used by the organization, reported in the news

Organizational

• Sudden changes in reported scanning/logging

• People as a threat vector

• Mergers and acquisitions

• Sudden staff turnover

• Planned layoffs

• Boom economy

In Summary

• Understand implications of Laws, Regulations and Policy Instruments applicable to your organization

• Ensure privacy and security controls are in place during the system life cycle

• Importance of complying with organisationalpolicies and procedures

• Ensure your controls meet your organizational objectives

• Prepare yourself for a breach

Don’t be the next victim!

• Privacy Toolkit: A Guide for Businesses and Organizations

• Getting Accountability Right with a Privacy Management Program

• Ten Tips for Reducing the Likelihood of a Data Breach

• Key Steps for Organizations Responding to a Privacy Breach

• Securing Personal Information: A Self-Assessment Tool for Organizations

• Investigations into businesses

OPC Resources:

www.priv.gc.ca

@PrivacyPrivee

1-800-282-1376