Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Ontario: IPC concludes investigation of Durham Region's data breach
The Office of the Information and Privacy Commissioner of Ontario ('IPC') announced, on 18 January 2022, its decision in Resolution MR21-00033 to conclude its investigation into the Regional Municipality of Durham ('the Region'), following a breach which was traced to the Region's use of Accellion File Transfer Appliance ('FTA') software.
Background to the investigation
In particular, the Region was a victim of an effort by cyber actors to exploit certain vulnerabilities in Accellion FTA in late 2020 and early 2021. Following an investigation by the Region, it reported that on, or around, 20 January 2021, an unauthorised party gained access to its data by exploiting the aforementioned vulnerability and then subsequently exfiltrating personal information and personal health information ('PHI') from documents in its system. Further, the Region was advised that it was a victim of a cyberattack following a ransom note relating to this matter dated 25 March 2021.
In its report to the IPC, the Region noted that approximately 105,945 individuals had personal information or PHI affected, or potentially affected, by the breach including names, dates of birth, contact information, genders, parents/guardians, workplaces, employment histories, connections to employee assistance programs, among other things. Furthermore, the Region notified the IPC of the breach, published information about the breach on its website, and sent written notices to affected individuals.
Findings of the IPC
Following its investigation, the IPC determined that at the time of the reported breach, the Region appeared to have had a number of reasonable measures to protect itself from a cyber breach of the nature of the one that occurred including patch management procedures, updates to critical vulnerability procedures, and a retention policy.
Outcomes
As a result of the safeguards taken by the Region as well as considering the circumstances of the reported breach, the IPC was satisfied that no further review was required.
You can read the press release here and the resolution here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
