I don't envy those who will have to clean up a 1.5 TB data breach going back to the last millennium, involving compromised personal information shared with up to 8000 suppliers*.
While the cyberattack was confirmed as far back as September, formal conclusions have yet to be published, so I'm going to take a moment to iterate a few suggestions for Privacy Commissioner investigators and reporters to follow or disclose in any media coverage of this type of privacy incident:
1. While it's important to establish what private data was stolen, it is also crucial to help the public understand the risk of harm from the event
2. Asking questions about the vast network of vendors is appropriate, to help the public determine how much family member information is included and whether it has found its way outside Canada.
3. The vast data trove appears to belong to Armed Forces and law enforcement personnel, whose financial and location data may pose a safety risk.
4. While being sensitive to the reputational damage that may be caused to the companies vendors, it is important to understand what exact security controls have been in place to protect the victims for the past quarter century.
Finally, when covering and/or investigating this type of event, professionals should empower the public to ask the right questions when faced with similar situations, with a focus on data confidentiality, access controls, retention limits and secure data destruction, cyber insurance and regular risk assessment.
*CBC: "BGRS has been providing relocation services to the Canadian government since 1995. According to an online DND document, it administers 20,000 federal moves each year involving over 8,000 suppliers."
Member discussion: