CBC privacy breach was bigger, broader than 1st announced

A privacy breach at CBC/Radio-Canada was larger than initially reported, involving 23,675 employees, former employees, contractors and others, internal documents show.

The corporation said on May 16 — when it first announced the breach — that 20,008 people were affected. That's the number it reported to Daniel Therrien, the privacy commissioner of Canada.

But the corporation knew by at least May 11 that the actual total was larger, emails obtained under the Access to Information Act show.

A CBC spokesman, Douglas Chow, confirmed the larger number. "We also decided to send letters to incorporated outside contractors whose business information was potentially impacted and in the same spirit of transparency," he said.

Delay in notification?

The corporation said in a news release issued May 16 there had been a break-in at a secure CBC office, and computer equipment was stolen containing confidential information. RCMP and local law enforcement were notified immediately, security video footage was turned over and an arrest warrant was issued, CBC said at the time.

The CBC release did not identify the location, though RCMP have indicated the break-in was being investigated by Ottawa police. The release also did not say when the incident happened. Ottawa police did not respond to questions.

The internal emails show that CBC officials were already dealing with the breach as of May 7, nine days before the corporation issued a mass email to employees warning them about the incident.

Some letters of warning to employees, dated as early as May 7, were put in the mail, though those were not expected to arrive before the mass emails.

Chow defended the apparent delay, saying "we acted as quickly as possible" after calling police.

"We then determined what information and which individuals may be affected. Then we set up the proper support for notifying individuals and answering their questions," he said.

It is important that we not indicate to the thief that they may have something of greater value than they realize.- Internal CBC document

"As soon as these support measures were in place, we began informing individuals who could potentially be affected."

A confidential information sheet created by CBC officials sometime before May 7 suggests a strategic reason for the delay.

Under the heading "off the record as necessary," it says: "We have been cautioned that right now, it is important that we not indicate to the thief that they may have something of greater value than they realize."

The missing equipment has not been located or returned, though Chow said there's no evidence that anyone has accessed the confidential information, which was password-protected.

The stolen information included letters to employees, records of employment, year-end tax slips, SIN numbers, bank account numbers and pay levels for people who had worked with CBC over the previous 18 months.

Executive-level employees at CBC were not affected because their pay is administered by a separate system.

Not serious enough

CBC has budgeted $300,000 to pay Equifax, a credit-monitoring firm, to offer identity-theft and credit-fraud services to anyone affected by the breach. Employees and others have until Aug. 31 to sign up free for one year. (Monthly charges are normally $15.99.) The service includes up to $50,000 in identity-theft insurance.

The internal documents also show CBC suffered six privacy breaches in 2017-2018 — one of which involved the loss of a USB key containing confidential information, which has not been recovered. There were two breaches the year before, and just one in 2015-2016.

Chow said none of these earlier incidents was serious enough to report to the privacy commissioner, and the break-in incident is the only one recorded so far this fiscal year.

Tobi Cohen, a spokesperson for the federal privacy commissioner, said "we are still following up on this breach report."

"We have not received any complaints related to the breach … We have not received further information related to police actions."

Jonathan Spence, president of the CBC branch of the Canadian Media Guild, said the union is still waiting for answers to some of its questions about the incident.

Last year, Equifax reported a massive security breach of its own computers. It reported approximately 100,000 Canadians were affected by the breach, which may have allowed unauthorized people to access clients names, addresses, social insurance numbers (SIN) and, in limited cases, credit card numbers.

Note: The writer is among the CBC employees who were notified of the privacy breach by email and letter.

Follow @DeanBeeby on Twitter