Data breach involving Cornwall border part of larger CBSA cache

In this Sunday, June 11, 2017, file photo, traffic lines up at the CBSA port of entry in Cornwall, Ont. (Newswatch Group/Bill Kingston, File)

CORNWALL – A data breach that involved information and images from Cornwall’s port of entry was part of a larger cache of data hackers accessed, the federal privacy commissioner revealed this week.

During the initial investigation, the Canada Border Services Agency (CBSA) told the privacy commissioner’s office that about 9,000 photos of licence plates had been gained through a cyber attack on a U.S. third party contractor in 2019.

Those from the Cornwall port of entry had been sent to the contractor for “troubleshooting.”

But the investigation found that up to 1.38 million licence plate image files from border points all across Canada, which included some duplicates, had been involved in the breach.

As for the Cornwall images that had been on the server from a backup of a former employee’s computer, there were 3,492 unique images after the duplicates were removed, according to the contractor’s analysis. Those ended up on the Dark Web. The data was from 2008.

“While the bad actors had access to approximately 1.4 million images that were on the contractor’s network at the time of the breach, approximately 11,000 were confirmed to have been posted on the Dark Web,” the report states.

The photos also included other information such as the home state or province of the licence plate and the time the vehicle crossed the border point.

The contractor’s investigators learned the attack happened through an “unpatched decommissioned server” and only learned of the breach when its CEO received a ransom email.

The report was completed in May but tabled Thursday in Parliament as part of the commissioner’s annual report.

While the CBSA argued that licence plate data wasn’t personal information, the commissioner disagreed, saying the border agency didn’t take into account the other photographic metadata including time, date and location.

“We also observed that the CBSA specifically recognized licence plates as personal information in their Personal Information Bank, while contending the contrary in their representations in this investigation,” the report states.

Privacy commissioner Philippe Dufresne has made several recommendations to the CBSA, including clear instructions in its contract with third party contractors on holding, handling and destroying data, auditing of contractors and “(to) seek guarantees and confirmation from the contractor that any data retained more than three (3) months after it was provided to the company has been destroyed.”

The report noted that the Cornwall data was “at least 11 years old” and that the “breadth of the breach” was “exacerbated” by not having clear data retention limit rules.

The report shows the CBSA has complied with the recommendations since it was written.