NL privacy commissioner looking into city website's data breach

NL privacy commissioner looking into city website's data breach | Insurance Business

NL privacy commissioner looking into city website

The privacy commissioner of Newfoundland & Labrador is looking into the recent data breach of a city’s website – one that potentially affects tens of thousands of people.

On Tuesday, the city of Corner Brook reported that private information on its website was accessed by four different unauthorized users. The users managed to access the directory of the website – which contained information used in a previous voters’ list, such as names, addresses, and dates of birth – despite the directory being normally inaccessible through the website’s links.

The breach exposed the information of some 10,000 people. City officials said that while they can confirm that unknown actors accessed the directory, they do not know if the personal information itself was viewed.

An analyst with NL’s privacy commissioner is looking into the report of the breach, and will also help the city determine its next steps in handling the situation.

“We have the breach notification, and one of our analysts is reviewing it now and we may very well be going back to the city with some further questions,” Office of the Information and Privacy Commissioner director of research and quality assurance Sean Murray told CBC News.

“But what happens from there, I think it’s too early to tell.”

According to Murray, when a breach is reported to the privacy commissioner, the affected body is asked to describe the breach, explain what it has done to make sure it does not suffer the same thing again, and how it plans to notify those affected by the incident. Afterwards, the office will decide if it needs more information.

“We may then assess whether the public body has adequately addressed the situation or whether there may be further steps warranted,” he explained.

The office will additionally investigate whether there was malice involved in the unauthorized data access. The findings of the investigation will determine if law enforcement would need to be involved, but Murray said that it is usually rare in breaches of this nature.