skip to main content
Back to all blog posts

Posted in: Data Security/Privacy

Mar 13, 2018

Phishing Risk Deemed Sufficient in Alberta to Trigger “Real Risk Of Significant Harm” Threshold

By Steve J. Tenai

Since 2010, Alberta’s Personal Information Protection Act (“PIPA”) requires private sector organizations to notify the Office of the Information and Privacy Commissioner (“OIPC”) of a breach of personal information where a “reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.” 

On February 28, 2018, Uber was ordered to notify its riders of a breach of rider data stored in a cloud-based server. The data included, among other things, a rider’s name, mobile number, email address, hashed and salted password, password change, user ID, unique and other identifiers, and user rating. Uber had been contacted by an individual who claimed he had accessed this user information, which was confirmed by Uber, and paid the demanded ransom to destroy the data and obtain assurances that it would not be further disseminated. 

Uber had assessed the information to not be sensitive and to be insufficient for identity theft or financial harm. It also considered that there was no real risk of significant harm of phishing as a result of the incident because any potential harm from phishing results as a consequence of the individual supplying personal information such as access codes and passwords and not the consequence of having received an email. OIPC reached a different conclusion.

Alberta’s Privacy Commissioner reasoned that individual names, mobile telephone numbers and email addresses of riders, when combined with profile information, could be used to send sophisticated, user-specific emails and text messages purportedly from Uber. Merely clicking on a link, without a user providing any additional information, could potentially cause significant harm such as activating malware. The Commissioner noted that despite individuals being increasingly aware of the possibility of receiving phishing emails and texts, incidents of phishing occur regularly. Further, as smartphones are one of the primary means to access Uber’s services, users may be particularly vulnerable to these types of harm.

No weight was given to Uber having received assurances from the hacker that the personal information would not be used or further disseminated. The fact that these assurances were given by individuals who deliberately accessed the information without authority, made ransom demands, and accepted payment of ransom weighed against trusting their assurances.

As Alberta’s breach notification threshold under PIPA aligns with Division 1.1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) (yet to come into force) and under the European Union’s General Data Protection Regulation (GDPR) (set to come into force in late May 2018), breach notification decisions from Alberta’s OIPC offer some guidance that may transcend that province.

Areas of Expertise

Related Categories

Related Blogs

Posted in: GDPR | Data Security/Privacy | Data Protection

Insights TheSpotlight
GDPR Now in Force Has Worldwide Reach By Paige Backman and Ara Dungca Jun 19, 2018 The General Data Protection Regulation was implemented on May 25, 2018. While it officially only affects European citizens, it has worldwide effects. As discussed previously on The Spotlight, any organization offering goods or services to residents of the European Union are expected to comply wit...

Posted in: Data Security/Privacy | Data Protection

Insights TheSpotlight
Notifying Consumers of Data Breaches: New Regulations By Stephen Crawford Apr 24, 2018 The federal government has introduced new regulations setting out what information must be disclosed to consumers and to the Privacy Commissioner after a data breach. These regulations will take effect on November 1, 2018.

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
New Notification Requirements for Data Breaches By Stephen Crawford Apr 13, 2018 As of November 1, 2018, if your organization suffers a data breach, new reporting requirements will be in place that may require you to notify consumers and the Privacy Commissioner of the breach – or else face a fine of up to $100,000.