Due diligence needed to avoid data breaches – intentional or not

Drake’s database of job applicants targeted by hackers

It was early on a Monday morning when a number of senior people at Drake International received an unexpected email. A group called Rex Mundi claimed to have hacked into one of Drake’s databases and gained access to more than 300,000 job applicant records from Canada, Australia, New Zealand and the United Kingdom.

The Jan. 7 email apparently demanded Drake pay $50,000 or the data would be exposed, and the group eventually went on Twitter with a link to a website reiterating its demands.

But Drake did not respond to the threats and instead went to the police, who informed the company not to co-operate and rather focus on the issues at hand, said Tony Scala, vice-president of marketing at Drake in Toronto, “which was ensuring our database was secure and informing any of the individuals who might have been affected by the security breach.”

The breached database was older, from 2004, and primarily included candidates who contacted Drake looking for opportunities or were responding to a job ad, he said. There was also a small database listing a few hundred employers that had registered on one of Drake’s websites to access content such as white papers and reports.

There was no banking information involved, said Scala.

“None of our databases store personal tax information, government identification numbers or any personal banking details, so they would have received general information — first and last names, phone numbers, email address — but probably the most important thing that they would have secured was password information and any password hints that individuals would have used.”

After the breach, Drake hired a security company to conduct a security assessment and penetration test, said Scala, and it’s continuing to work with its IT department to make sure the necessary improvements are made to secure all the company’s databases.

“A lot of this technology’s still relatively new and we’re on a very large learning curve. In addition, there are some very aggressive hacking groups out there that spend an enormous amount of time and resources trying to get into databases and seem to be very successful with some very large brands, and even with our government,” he said.

These kinds of breaches — intentional or not — are making the news more often, whether it’s Twitter, LinkedIn, Sony Playstation or Human Resources and Skills Development Canada (HRSDC). That’s partly because more data — which is increasingly sensitive — is being transmitted electronically, said Trevor Lawson, a partner at McCarthy Tétrault in Toronto.

“(People) actually are quite comfortable providing that kind of data online because we have an expectation or put some trust in the organization that’s receiving it that they have exercised all due diligence in ensuring that our information can be transmitted, stored and used by that organization in a way that will protect the confidentiality and security of our information.”

Legal concerns

But courts are increasingly recognizing the significant day-to-day risks to individuals’ personal information being improperly accessed and disclosed, and placing liability for that breach on organizations that haven’t taken steps to properly protect that information, said Lawson.

Companies looking to outsource the intake and classification of applications and machine reading of resumés, in the interest of efficiency and automation, should look beyond cost savings, said David Fraser, a privacy and Internet lawyer at McInnes Cooper in Halifax.

“They should also be asking their service providers questions about security. And they should have, in the agreement, representations and warranties about the safeguards... and there should be an obligation to notify the company if information is compromised, if information is hacked.”

Even if data is outsourced and, for example, managers log into a website to review applications, it’s likely the employer that’s on the hook when it comes to legal obligations because the service provider is acting as an agent, he said.

“They need to ask their service provider difficult questions about security: What sort of audits do they have? What sort of safeguards do they have in place? Do they comply with international standards related to security and safeguards? They should make sure that they’ve done their due diligence because they may be called upon to answer for that.”

Outsourcing or moving data to the cloud or a third party does not absolve an employer of its obligation to protect the data, said Chester Wisniewski, a senior security advisor at Sophos Canada in Vancouver.

“It’s fine to outsource all the unimportant stuff but the stuff that you know could be really damaging you should keep in-house and make sure it’s being done properly. Because you can’t really be assured that a third party is going to handle it properly and you are on the hook for it. So you should treat the data as if it was your own.”

These kinds of breaches are disturbingly common, said Wisniewski.

“But we don’t really know how bad it really is because in Canada we don’t have any data breach notification laws, so most companies in my experience sweep it under the carpet and hide.”

Alerting those affected

More and more jurisdictions have breach notification laws, which require organizations to notify affected individuals, said Fraser. However, only Alberta has such a law in Canada — in contrast to most of the United States.

“But if you’re in Drake’s shoes, you don’t have a whole lot of credibility if you only notify people in California or the people in Alberta. So when these things happen and they’re discovered, they’re reported. And businesses are quickly learning you need to get in front of it, you need to come clean, you need to notify people because how a business responds to it is as important as the breach in the first place,” he said. “Mistakes happen, accidents happen — nobody’s perfect. But if you come across as being evasive or kind of minimizing the impact of it or shifting blame, there goes your trust and credibility.”

There has also been a push for amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), through Bill C-12, that would require federally regulated organizations, in regard to commercial acts, to notify the federal privacy commissioner and, in certain circumstances, individuals who are affected by a breach or any unauthorized access or disclosure of personal information, said Lawson.

“That would encompass a very, very broad range and I would say most organizations would err on the side of inclusiveness in reporting, rather than run afoul of PIPEDA and expose themselves to civil claims as well.”

It’s also important to properly dispose of information found in older databases, once all legal obligations have expired, he said.

“It sounds like with Drake that’s one thing that might have minimized the degree of the information hacked into.”

Drake also apparently failed to encrypt the stolen data, said Wisniewski, but it wisely ignored the extortionists.

“(Employers) may save themselves a little bit of temporary bad press because they think they’re hiding it but, in the end, a lot of that information gets sold on to the underground anyway and their customers end up being victims of identity theft, or credit card fraud and then it still comes back to them in the end.”

Before the incident, Drake did not have a policy to deal with this kind of breach, said Scala.

“We do now. It’s important for all companies to be a bit more proactive,” he said. “It’s one of those things you think would never happen to us, and, surprise, it did.”

Latest stories