Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
01 April 2024
Canada: OPC publish key takeaways from investigations into GCKey and CRA cyber breach
On March 28, 2024, the Office of the Privacy Commissioner (OPC) published its Privacy Act Bulletin, with key takeaways from its investigations into the 2020 Employment and Social Development Canada's GCKey authentication service and Canada Revenue Agency (CRA) sign-in portal cyber breach.
The OPC provided the following key takeaways after having looked at how attackers were able to infiltrate online services to access and modify individual accounts:
- ensure that privacy risks are thoroughly assessed and addressed for programs and services, especially when involving sensitive personal information;
- consider risks from malicious modification or submission of false personal information;
- determine the level of identity assurance that is needed and ensure that employees know how to assess it;
- conduct regular security assessments;
- monitor to detect potential breaches early;
- be prepared to take immediate corrective actions; and
- build strong structures to avoid silos in information sharing and decision-making.
You can read the Privacy Act Bulletin here.