‘Shocking’ Security Gaps Exposed in Federal Departments: Watchdog

Investigations into numerous federal departments have uncovered severe security flaws, putting the privacy of Canadians at risk. The Privacy Commissioner of Canada (OPC) has brought to light these alarming issues in two reports to Parliament, focusing on privacy breaches at Employment and Social Development Canada (ESDC), the Canada Revenue Agency (CRA), and the Royal Canadian Mounted Police’s (RCMP) surveillance tactics.

A cyberattack in 2020 on the CRA and ESDC allowed hackers to steal sensitive information and fraudulently claim COVID-19 benefits. This breach affected tens of thousands of Canadians, leading to fraud and identity theft on a massive scale. Privacy Commissioner Philippe Dufresne did not hold back, stating, “It’s shocking that federal agencies, which should be fortresses protecting our personal information, have such glaring security gaps.”

The investigations pinpointed that the breaches were made possible by significant weaknesses in the security systems of ESDC and the CRA. Hackers used stolen login details to access and manipulate accounts, causing financial loss, credit score damage, and huge amounts of stress for affected Canadians.

Moreover, the OPC criticized the RCMP for its use of third-party surveillance without proper privacy checks, particularly highlighting the contract with Babel Street, a U.S. company known for its Babel X service. This lack of due diligence in vetting external services for privacy compliance is deeply troubling. “Ensuring the privacy of Canadians should be a top priority, and it’s shocking to see such lapses in vigilance,” said Dufresne.

The findings reveal a disturbing underestimation of the security needed for online services and a slow response to breaches, blamed on poor security assessments and a lack of coordination among departments. It’s literally government bloat on display here, with the discovery of these major security lapses.

Following the OPC’s recommendations, all departments have pledged to tighten their security protocols. The RCMP did not commit to the recommendations by the end of the investigation, however.