Unauthorized entry into private information of 2 people identified
LAURIE WEIR
An email breach has prompted cybersecurity experts to launch an investigation at a children’s agency.
When asked about the incident at Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG) by this publication on Feb. 14, Erin Lee Marcotte, the agency’s executive director, responded late that afternoon.
She said it was Nov. 14 last year at FCSLLG when an unauthorized third-party gained entry to an employee’s email account, getting access to private information.
“In response, we immediately engaged a team of third-party cybersecurity experts to investigate the incident,” Marcotte wrote. “The investigation has concluded and determined that certain personal information belonging to two individuals was accessed by the unauthorized third party and those individuals were notified immediately.”
Although the investigation did not identify any evidence that any other individuals were impacted, Marcotte said “out of an abundance of caution, between January and February, 2024 FCSLLG notified individuals whose information may have been impacted as a result of this incident.”
This incident has also been reported to the Information and Privacy Commissioner of Ontario (IPC), she noted.
“FCSLLG takes privacy and security seriously and is continuously evaluating and strengthening its security safeguards to better prevent incidents of this nature from occurring,” Marcotte wrote.
It was in 2016 when a person charged for “hacking” the children services website through a “private portal” that didn’t have a firewall, or any type of security. Charges were laid by the Smiths Falls Police Service, and after a four-year court battle, all charges were dropped. The judge in the case ruled that the information was in fact, publicly available, and the person charged did not identify any children involved in court proceedings.
When Marcotte was asked in a follow-up email what security measures were put in place following the previous incident, or how a third-party would access an employee email, a response has not yet been received.
According to the IPC, a privacy breach occurs when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws. All public sector organizations, health information custodians, children’s aid societies and other child and family service providers should have a privacy breach response plan. Under Ontario’s access and privacy laws, child and family service providers and health information custodians are required to report certain privacy breaches to the IPC.