Vancouver rape crisis centre’s data was hacked

VANCOUVER – Salal Sexual Violence Support Centre told clients and donors a backup server containing their personal information was stolen from its new office on Dec. 3. Police say they are investigating the theft.

Two cybersecurity experts told CBC News that while it is good Salal informed clients and donors of the breach, the centre seems to be downplaying the “significant” safety, financial and privacy risks the theft poses, potentially to thousands of people.

It appears Salal did not take basic steps to protect some of the sensitive data its work requires, said Ali Dehghantanha, Canada Research Chair in cybersecurity and threat intelligence at the University of Guelph.

If the data is not encrypted, it would be easy “for anyone to get access to this information,” he said. “I would not consider this as a low risk.”

David Jao, a professor and member of the Cybersecurity and Privacy Institute at the University of Waterloo, says it’s easy to sell the stolen hardware to someone who can gain access and use the data to drain bank accounts, commit fraud or conduct phishing scams.

“It’s hard to recall data once it’s in bad hands,” Jao said, noting any high-profile donors on the server could be prime targets.

The nature of Salal’s work may also put clients’ physical and mental safety at risk, Dehghantanha added.

“The very fact that you are a client of the centre is something private and sensitive for many people,” he said.

One woman who says she is on Salal’s waitlist for counselling told CBC News she is planning to file a complaint with the Office of the Information and Privacy Commissioner for B.C. (OIPC).

The OIPC declined to confirm if Salal had reported the theft or whether it is investigating any complaints about Salal, citing confidentiality in a Friday statement to CBC News.

“Organizations are strongly encouraged to report privacy breaches [to] the OIPC where there is a risk of significant harm to individuals,” a spokesperson wrote, noting the watchdog has a list of resources for victims of privacy breaches and identity theft.

Jao and Dehghantanha say this breach should be a wake-up call for Salal and other organizations working with vulnerable people to be proactive about data security.

Israel said the centre has migrated its backup server to an encrypted cloud server and will be adding further “layers of safety” to its usual server, along with increased cameras and metal door guards in its new office.

Encryption and physical protection are good first steps, said Jao, but ideally the data should be divided up as well to minimize the impact of a potential breach.

“You should have multiple backups, and those backups should be completely separate and encrypted,” said Jao.

Organizations also need to think twice about how much information they collect in the first place, he said, and clients should be wary of giving out personal details like birthdays without a good reason.

Dehghantanha said Salal clients and donors should change their passwords, activate two-factor authentication and report suspicious activity on their banking and personal accounts, while Jao stressed that donating online with a credit card is much more secure than using cheques.

Dehghantanha also encouraged those impacted to file complaints with the OIPC to have some recourse if their data is indeed used against them.