P.E.I. data breach should cause concern but probably not alarm, says privacy lawyer
‘The reality is that these are happening increasingly’
Halifax-based privacy lawyer David Fraser says the recent malware attack and data breach on the P.E.I. government servers should cause concern, but probably not alarm.
The malware was discovered on the government's server network more than a week ago. Officials originally said they believed no personal information was affected, but on Monday issued a written news release to say the province had become aware a "small amount of data was moved from government of P.E.I. servers."
"I think people should be worried, quite properly — any incident that involves the disclosure or the release of personal information, particularly sensitive information, should cause some concern but probably should not cause alarm," privacy lawyer David Fraser told CBC News: Compass' Louise Martin via Skype.
"The reality is that these are happening increasingly," he said. "We're hearing about more and more data breaches across the country and actually around the world, and there's maybe some comfort in knowing you're not alone in this if your information was involved."
Fraser said that while it may be anxiety-producing to know your personal information may have been compromised, it doesn't guarantee that your identity will be stolen or used fraudulently.
To pay or not to pay
Tuesday, CBC News reported that P.E.I. government documents were surfacing online after the data breach. Some of the documents, which were viewed by CBC News, contained names and personal information of Islanders.
Officials with the province said they have not been in touch with the attackers and they will not be paying a ransom. They said the attack came from outside Canada.
Fraser said paying demanded ransom is always going to be a judgment call.
Ransoms are typically demanded in two cases: to unencrypt files that have been locked by the attackers, or to prevent the attackers from releasing stolen data.
On the website viewed by CBC News, it appears the attackers are demanding co-operation or they will release their "databases and private papers." Several sample documents are posted as "proof" of the 200 GB of information they claim to have.
Play it safe
Experts agree that there are steps people can take if they believe their data has been compromised or if they simply want to err on the side of caution. This includes changing passwords, monitoring your credit rating, and only opening files or websites from sources you trust.
"All different types of data can be really valuable and so we've all got to do our part to ensure that all that stuff is protected," said Andrew Godbout, professor of computer science at UPEI.
"What types of information about me are out there … as a general citizen those should be questions that were kind of all monitoring."
Godbout says he was at the University of Calgary when they paid $20,000 to have their data restored after a 2016 ransomware attack.
"There's some cost-benefit that somebody would have went through and looked at and said 'you know if we go X number of days without our information versus paying some amount'," he said.
"We all know that the people who are out to do bad, they're getting smarter and better. You know, we've all gotten these emails where a few years ago you could spot them pretty easily. Nowadays, you know, they've got names of your co-workers."
Like Godbout, Fraser said people have to be vigilant with their data.
"All organizations, and frankly individuals, are always going to be vulnerable to these sorts of attacks. They usually take advantage of human nature," Fraser said.
The government of P.E.I. said the breach is still under investigation and they will continue to update Islanders as information becomes available.
More from CBC P.E.I.
With files from Compass and Jessica Doria-Brown