Theft of Vancouver rape crisis centre server containing sensitive data raises privacy concerns CBC News
pCybersecurity experts are warning of significant data privacy risks after a Vancouver rape crisis centre told clients and donors a computer server containing their sensitive personal information and banking details was stolen from its office last monthppThe Dec 3 breakin at Salal Sexual Violence Support Centres new office is under investigation Vancouver police confirmed in an email to CBC News on Friday and at least one woman who sought counselling at Salal says she is planning to file a complaint with BCs privacy watchdog over the breachppIn a Dec 23 email obtained by CBC News executive director Dalya Israel told Salal clients that a backup server with their waitlist and contact information was among the items stolen from the office which is currently being renovatedppIt is possible that your name email address telephone numbers and notes about safety risks or what services you have requested could be released sold and shared publicly Israel wroteppHowever clients individual files case notes and medical information were not compromised because they are held on an encrypted thirdparty platform she saidppThe stolen server also contained donor bank account details and pictures of cheques including names addresses and phone numbers according to a separate email to donors obtained by CBC NewsppCredit card and debit card information from online donations is stored on an encrypted thirdparty platform and remains safe Israel saidppThis was not a data hack read her email We do not believe that this breakin was targeted to destabilize Salal SVSC or the survivors that we serveppSalal a nonprofit formerly called WAVAW Rape Crisis Centre responded to 4769 crisis calls and provided 1304 individual counselling sessions between April 2021 and March 2022 according to its most recent annual reportppDuring that same time it received more than 510000 in donations from 3454 individual donors the report saidppIsrael said Salal believes the risk of data being stolen or misused is low because accessing the data requires sophisticated IT knowledge adding that an independent privacy impact assessment estimated the risk as moderate ppWe are of course very concerned with any possible data breach and we are doing everything we can to make sure that this cannot happen again Israel wroteppHowever it is still unclear how many peoples data may have been compromised or how vulnerable it may beppIsrael declined an interview request from CBC News on FridayppIn an emailed statement on Sunday she declined to answer questions about how the stolen data was stored to protect the integrity of the investigation and information on the hardwareppIsrael says the theft has been devastating for Salal and in her emails she noted the potential breach could be distressing or triggering for clients and donorsppOur deepest commitment is to survivors and our community and we know this has and will have a significant impact on them she wrote to CBC NewsppTwo cybersecurity experts say while it is good that Salal informed clients and donors of the breach the centre seems to be downplaying the significant safety financial and privacy risks the theft poses potentially to thousands of peopleppIt appears Salal did not take basic steps to protect some of the sensitive data its work requires said Ali Dehghantanha Canada Research Chair in cybersecurity and threat intelligence at the University of GuelphppIf the data is not encrypted it would be easy for anyone to get access to this information he saidppI would not consider this as a low riskppDavid Jao a professor and member of the Cybersecurity and Privacy Institute at the University of Waterloo says its easy to sell the stolen hardware to someone who can gain access and use the data to drain bank accounts commit fraud or conduct phishing scamsppIts hard to recall data once its in bad hands Jao said noting any highprofile donors on the server could be prime targetsppThe nature of Salals work may also put clients physical and mental safety at risk Dehghantanha addedppThe very fact that you are a client of the centre is something private and sensitive for many people he saidppOne woman who says she is on Salals waitlist for counselling told CBC News she is planning to file a complaint with the Office of the Information and Privacy Commissioner for BC OIPC CBC News agreed not to name her for privacy reasonsppThe OIPC declined to confirm if Salal had reported the theft or whether it is investigating any complaints about Salal citing confidentiality in a Friday statement to CBC NewsppOrganizations are strongly encouraged to report privacy breaches to the OIPC where there is a risk of significant harm to individuals a spokesperson wrote noting the watchdog has a list of resources for victims of privacy breaches and identity theftppJao and Dehghantanha say this breach should be a wakeup call for Salal and other organizations working with vulnerable people to be proactive about data securityppIsrael said the centre has migrated its backup server to an encrypted cloud server and will be adding further layers of safety to its usual server along with increased cameras and metal door guards in its new officeppEncryption and physical protection are good first steps said Jao but ideally the data should be divided up as well to minimize the impact of a potential breachppYou should have multiple backups and those backups should be completely separate and encrypted said JaoppOrganizations also need to think twice about how much information they collect in the first place he said and clients should be wary of giving out personal details like birthdays without a good reasonppDehghantanha said Salal clients and donors should change their passwords activate twofactor authentication and report suspicious activity on their banking and personal accounts while Jao stressed that donating online with a credit card is much more secure than using chequesppDehghantanha also encouraged those impacted to file complaints with the OIPC to have some recourse if their data is indeed used against themppFor anyone who has been sexually assaulted there is support available through crisis lines and local support services via this Government of Canada website or the Ending Violence Association of Canada database If youre in immediate danger or fear for your safety or that of others around you please call 911 ppAudience Relations CBC PO Box 500 Station A Toronto ON Canada M5W 1E6 ppTollfree Canada only 18663064636ppIt is a priority for CBC to create products that are accessible to all in Canada including people with visual hearing motor and cognitive challengesppClosed Captioning and Described Video is available for many CBC shows offered on CBC Gemppp