Phishing Risk Deemed Sufficient in Alberta to Trigger “Real Risk Of Significant Harm” Threshold
Since 2010, Alberta’s Personal Information Protection Act (“PIPA”) requires private sector organizations to notify the Office of the Information and Privacy Commissioner (“OIPC”) of a breach of personal information where a “reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.”
On February 28, 2018, Uber was ordered to notify its riders of a breach of rider data stored in a cloud-based server. The data included, among other things, a rider’s name, mobile number, email address, hashed and salted password, password change, user ID, unique and other identifiers, and user rating. Uber had been contacted by an individual who claimed he had accessed this user information, which was confirmed by Uber, and paid the demanded ransom to destroy the data and obtain assurances that it would not be further disseminated.
Uber had assessed the information to not be sensitive and to be insufficient for identity theft or financial harm. It also considered that there was no real risk of significant harm of phishing as a result of the incident because any potential harm from phishing results as a consequence of the individual supplying personal information such as access codes and passwords and not the consequence of having received an email. OIPC reached a different conclusion.
Alberta’s Privacy Commissioner reasoned that individual names, mobile telephone numbers and email addresses of riders, when combined with profile information, could be used to send sophisticated, user-specific emails and text messages purportedly from Uber. Merely clicking on a link, without a user providing any additional information, could potentially cause significant harm such as activating malware. The Commissioner noted that despite individuals being increasingly aware of the possibility of receiving phishing emails and texts, incidents of phishing occur regularly. Further, as smartphones are one of the primary means to access Uber’s services, users may be particularly vulnerable to these types of harm.
No weight was given to Uber having received assurances from the hacker that the personal information would not be used or further disseminated. The fact that these assurances were given by individuals who deliberately accessed the information without authority, made ransom demands, and accepted payment of ransom weighed against trusting their assurances.
As Alberta’s breach notification threshold under PIPA aligns with Division 1.1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) (yet to come into force) and under the European Union’s General Data Protection Regulation (GDPR) (set to come into force in late May 2018), breach notification decisions from Alberta’s OIPC offer some guidance that may transcend that province.