Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada Company CyberSecurity Posture
priv.gc.ca
The Privacy Commissioner of Canada is an Officer of Parliament, mandated to protect and promote privacy rights. The Office of the Privacy Commissioner (OPC) hosts a page on LinkedIn to communicate with people about future career opportunities at the OPC, to offer privacy tips and guidance to small businesses to increase their awareness of, and therefore compliance with, PIPEDA, and to share important announcements. Privacy notice: https://www.priv.gc.ca/en/privacy-and-transparency-at-the-opc/social-media-policies-notices/#_LinkedIn Comment policy: https://www.priv.gc.ca/en/privacy-and-transparency-at-the-opc/social-media-policies-notices/#_Comment About the OPC: https://www.priv.gc.ca/en/about-the-opc/ ********* Le commissaire à la protection de la vie privée du Canada est un haut fonctionnaire du Parlement qui a pour mandat de protéger le droit des personnes à la vie privée et d'en faire la promotion. Le Commissariat à la protection de la vie privée du Canada a créé une page sur LinkedIn pour faire connaître les possibilités de carrière au sein de l’organisation, offrir des conseils et des orientations en matière de protection de la vie privée aux petites entreprises pour accroître leur sensibilisation au droit à la vie privée et les aider à se conformer à la LPRPDE, ainsi que partager des annonces importantes. Avis de confidentialité : https://www.priv.gc.ca/fr/protection-de-la-vie-privee-et-transparence-au-commissariat/medias-sociaux-politiques-avis/#_LinkedIn Politiques relatives aux commentaires : https://www.priv.gc.ca/fr/protection-de-la-vie-privee-et-transparence-au-commissariat/medias-sociaux-politiques-avis/#_Comment À propos du Commissariat : https://www.priv.gc.ca/fr/a-propos-du-commissariat/
Company Details
office-of-the-privacy-commissioner-of-canada
173
36,993
92
priv.gc.ca
0
OFF_8741243
In-progress
OPCCLPDLVPDC Risk Score (AI oriented)Between 650 and 699
OPCCLPDLVPDC Global Score (TPRM)XXXX
Description: Canada Border Services Agency suffered a data breach incident after a contractor led to the unauthorised access of up to 1.38 million licence plates and related information. The investigation found that the contract lacked clauses with respect to security safeguards, including for the protection and retention of personal information. Bad actors were able to break into the third-party contractors’ systems through an unpatched and decommissioned server, where they were able to access, copy, and remove files from the network, before posting some of the data on the dark web. The breach exposed around 9,000 licence plate photos of travellers crossing into Canada from the border crossing in Cornwall, Ontario.
Description: Canada Revenue Agency logs 2,338 privacy breaches in just under 2 years. The personal, confidential information of over 80,000 individual Canadians held by the Canada Revenue Agency may have been accessed without authorization over the last 21 months. But only a handful affected a large number of Canadians.
Description: Several Canadian government websites and servers were targeted in a cyberattack by the hacking group Anonymous. The attack affected several websites for government services, including canada.ca, as well as the site of Canada’s spy agency, the Canadian Security Intelligence Service (CSIS). The attack was aimed to show their retaliation for a new anti-terrorism law passed by Canada’s politicians.
Description: The governments of Canada was exposed to the entire internet details of software bugs and security plans, as well as passwords for servers, official internet domains, conference calls, and an event-planning system by misconfiguring pages on Trello, a project management website. 25 Canadian government trello boards had sensitive information, such as remote file access, or FTP, credentials, and login details for the Eventbrite event-planning platform. The government of Canada said, Departments and agencies of the Government of Canada must apply adequate security controls to protect their users, information, and assets. Employees are being reminded of their obligation never to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service.
Description: A data breach at Tiffany & Co. is under investigation by the **Office of the Privacy Commissioner of Canada** after the company reported the incident. The breach, which occurred in **May** but was only discovered in **September**, has impacted Canadian and U.S. customers, though the exact number of affected accounts remains unclear. The privacy commissioner is reviewing Tiffany & Co.’s response to ensure adequate measures are taken to protect the compromised personal information of Canadians. A formal breach report was submitted to the **Maine attorney general**, indicating potential exposure of customer data. The nature of the breach suggests unauthorized access to personal information, though specific details—such as whether financial data, contact information, or other sensitive records were leaked—have not been disclosed. The incident is still under regulatory scrutiny, with authorities assessing compliance and next steps to mitigate risks for affected individuals.
Description: A significant data breach happened in the federal government after a device was stolen from Public Services and Procurement Canada. PSPC is Infrastructure Canada’s service provider for pay, pension and benefits. All 227 employees were affected are at Infrastructure Canada No banking or social insurance information was affected. Name, person record identifier (PRI), date of birth, home address and salary range may have been compromised.
Description: A device was stolen from Public Services and Procurement Canada. PSPC is Infrastructure Canada’s service provider for pay, pension and benefits. All 227 employees affected are at Infrastructure Canada. The device in question was stolen on Aug 20 and affected employees were informed on Sept 7. No banking or social insurance information was affected. Name, person record identifier (PRI), date of birth, home address and salary range have been compromised. Ottawa police have been made aware of the incident.
Description: Transport Canada experienced a cybersecurity incident involving a **local breach in a cloud-based software provider** used by the agency. While the breach was contained, it prompted a collaborative response with federal security partners, including law enforcement, to assess potential risks. The agency emphasized that **no direct impacts were reported on airport operations, safety, or security**, suggesting the breach did not compromise critical transportation systems or sensitive data. However, the incident raised concerns about operational efficiency and the need for proactive mitigation against future cyber threats. Transport Canada is actively working with air operators to strengthen defenses against similar incidents, whether cyber-related or otherwise, to ensure uninterrupted transportation safety and security. The breach appears to have been isolated, with no evidence of data theft, financial loss, or reputational damage beyond internal investigations and preventive measures.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada has 53.85% more incidents than the average of same-industry companies with at least one recorded incident.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada has 56.25% more incidents than the average of all companies with at least one recorded incident.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 0 vulnerabilities, 1 data breaches, compared to industry peers with at least 1 incident.
OPCCLPDLVPDC cyber incidents detection timeline including parent company and subsidiaries
The Privacy Commissioner of Canada is an Officer of Parliament, mandated to protect and promote privacy rights. The Office of the Privacy Commissioner (OPC) hosts a page on LinkedIn to communicate with people about future career opportunities at the OPC, to offer privacy tips and guidance to small businesses to increase their awareness of, and therefore compliance with, PIPEDA, and to share important announcements. Privacy notice: https://www.priv.gc.ca/en/privacy-and-transparency-at-the-opc/social-media-policies-notices/#_LinkedIn Comment policy: https://www.priv.gc.ca/en/privacy-and-transparency-at-the-opc/social-media-policies-notices/#_Comment About the OPC: https://www.priv.gc.ca/en/about-the-opc/ ********* Le commissaire à la protection de la vie privée du Canada est un haut fonctionnaire du Parlement qui a pour mandat de protéger le droit des personnes à la vie privée et d'en faire la promotion. Le Commissariat à la protection de la vie privée du Canada a créé une page sur LinkedIn pour faire connaître les possibilités de carrière au sein de l’organisation, offrir des conseils et des orientations en matière de protection de la vie privée aux petites entreprises pour accroître leur sensibilisation au droit à la vie privée et les aider à se conformer à la LPRPDE, ainsi que partager des annonces importantes. Avis de confidentialité : https://www.priv.gc.ca/fr/protection-de-la-vie-privee-et-transparence-au-commissariat/medias-sociaux-politiques-avis/#_LinkedIn Politiques relatives aux commentaires : https://www.priv.gc.ca/fr/protection-de-la-vie-privee-et-transparence-au-commissariat/medias-sociaux-politiques-avis/#_Comment À propos du Commissariat : https://www.priv.gc.ca/fr/a-propos-du-commissariat/
For more information about GAO, please visit www.gao.gov. General Information The U.S. Government Accountability Office (GAO) is an independent, nonpartisan agency that works for Congress. Often called the "congressional watchdog," GAO investigates how the federal government spends taxpayer dolla
We are the largest and most diverse organisation in our state. We have more than 90 government departments and organisations providing essential services across 4000+ locations—from the Torres Strait to the Gold Coast; Mount Isa to Brisbane. We are passionate about making Queensland better through
Bij UWV werken we aan een samenleving waarin iedereen mee kan doen. We helpen mensen op weg bij het vinden of behouden van werk. In geval van ziekte kijken we wat iemand nog wél kan. En als werken niet mogelijk is, zorgt UWV snel voor inkomen. We geven op deskundige en efficiënte wijze uitvoering a
OVERVIEW Framingham was incorporated as a town on June 25, 1700. Chapter 143 of the Acts of 1949 established the Town of Framingham Representative Town Government by Limited Town Meetings. The Citizens of Framingham adopted the Home Rule Charter for the City of Framingham at an election held on Ap
Region Västra Götaland is governed by democratically elected politicians and with just over 50,000 employees is one of Sweden’s biggest employers. It is tasked with offering good healthcare and dental care and providing the prerequisites for good public health, a rich cultural life, a good enviro
Travailler à l’Assurance Maladie, c’est donner une nouvelle dimension à votre métier et agir au quotidien pour la protection de notre système de santé. Participez à une grande diversité de projets dans un cadre bienveillant et soyez fier de contribuer à une mission essentielle : agir ensemble, prot
Cape Town, or the Mother City, is South Africa’s oldest city, its second-most populous and the legislative capital. It is made up of a diverse population, a rich history, world-famous tourist attractions and an exciting calendar of international and local events. More than 231 councillors and 26 22
Welcome to the official LinkedIn page for the Federal Emergency Management Agency (FEMA). When disaster strikes, America looks to FEMA to support survivors and first responders in communities all across the country. This page provides career related information, job announcements and relevant updat
The Government of Canada works on behalf of Canadians, both at home and abroad. Visit www.Canada.ca to learn more. Canada’s professional, non-partisan public service is among the best in the world, and many of its departments and agencies place in Canada’s Top 100 Employers year after year. If you
.png)
In August 2025, the Office of the Privacy Commissioner of Canada (OPC) issued new guidance for private-sector organizations deploying...
As remote working becomes the norm, employers are increasingly turning to biometric identification technologies such as fingerprint scanning...
2022-2023 Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act...
2019-2020 Annual Report to Parliament on the Privacy Act and Personal Information Protection and Electronic Documents Act
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
The official website of Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is http://www.priv.gc.ca/.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada’s AI-generated cybersecurity score is 695, reflecting their Weak security posture.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is not certified under SOC 2 Type 1.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada does not hold a SOC 2 Type 2 certification.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is not listed as GDPR compliant.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada does not currently maintain PCI DSS compliance.
According to Rankiteo, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is not compliant with HIPAA regulations.
According to Rankiteo,Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada operates primarily in the Government Administration industry.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada employs approximately 173 people worldwide.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada presently has no subsidiaries across any sectors.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada’s official LinkedIn profile has approximately 36,993 followers.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada is classified under the NAICS code 92, which corresponds to Public Administration.
No, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada does not have a profile on Crunchbase.
Yes, Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/office-of-the-privacy-commissioner-of-canada.
As of November 27, 2025, Rankiteo reports that Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada has experienced 8 cybersecurity incidents.
Office of the Privacy Commissioner of Canada/Commissariat à la protection de la vie privée du Canada has an estimated 11,116 peer or competitor companies worldwide.
Incident Types: The types of cybersecurity incidents that have occurred include Data Leak, Breach and Cyber Attack.
Detection and Response: The company detects and responds to cybersecurity incidents through an law enforcement notified with ottawa police, and remediation measures with employees reminded of their obligation not to communicate or store sensitive information on trello boards or any other unauthorized digital tool or service., and and remediation measures with under review by the office of the privacy commissioner of canada, and and third party assistance with federal security partners, and and remediation measures with collaboration with air operators to mitigate consequences..
Title: Cyberattack on Canadian Government Websites
Description: Several Canadian government websites and servers were targeted in a cyberattack by the hacking group Anonymous. The attack affected several websites for government services, including canada.ca, as well as the site of Canada’s spy agency, the Canadian Security Intelligence Service (CSIS). The attack was aimed to show their retaliation for a new anti-terrorism law passed by Canada’s politicians.
Type: Cyberattack
Threat Actor: Anonymous
Motivation: Retaliation for a new anti-terrorism law
Title: Canada Revenue Agency Privacy Breaches
Description: The personal, confidential information of over 80,000 individual Canadians held by the Canada Revenue Agency may have been accessed without authorization over the last 21 months.
Type: Data Breach
Title: Device Theft at Public Services and Procurement Canada
Description: A device was stolen from Public Services and Procurement Canada, compromising personal information of 227 employees at Infrastructure Canada.
Date Detected: 2023-08-20
Date Publicly Disclosed: 2023-09-07
Type: Data Breach
Attack Vector: Physical Theft
Title: Data Breach at Infrastructure Canada
Description: A significant data breach happened in the federal government after a device was stolen from Public Services and Procurement Canada (PSPC). PSPC is Infrastructure Canada’s service provider for pay, pension, and benefits. All 227 employees were affected at Infrastructure Canada. No banking or social insurance information was affected. Name, person record identifier (PRI), date of birth, home address, and salary range may have been compromised.
Type: Data Breach
Attack Vector: Device Theft
Title: Canadian Government Data Exposure via Trello
Description: The government of Canada exposed sensitive information including software bugs, security plans, server passwords, official internet domains, conference calls, and event-planning system details due to misconfigured Trello boards.
Type: Data Exposure
Attack Vector: Misconfiguration
Vulnerability Exploited: Misconfigured third-party service
Title: Canada Border Services Agency Data Breach
Description: Canada Border Services Agency suffered a data breach incident after a contractor led to the unauthorised access of up to 1.38 million licence plates and related information.
Type: Data Breach
Attack Vector: Unpatched and decommissioned server
Vulnerability Exploited: Lack of security safeguards in the contract
Threat Actor: Unspecified bad actors
Title: Data Breach at Tiffany & Co.
Description: A data breach at Tiffany & Co. is under review by the Office of the Privacy Commissioner of Canada (OPC). The OPC is ensuring the jewelry company is taking adequate steps to address the breach and protect the personal information of Canadians. The breach was reported to the OPC, and a letter filed with the Maine attorney general indicates it occurred in May 2025 and was discovered in September 2025. The breach also appears to have affected the United States, though the number of impacted Canadian accounts remains unclear.
Date Detected: 2025-09
Date Publicly Disclosed: 2025-09-17
Type: Data Breach
Title: None
Description: A cyber incident involving a breach at a cloud-based software provider impacted Transport Canada. The agency is working with federal security partners, including law enforcement, to ensure no impacts on airport operations' safety and security. Mitigation efforts are underway to prevent future disruptions.
Type: Cyber Breach (Third-Party Cloud Provider)
Common Attack Types: The most common types of attacks the company has faced is Breach.
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Unpatched and decommissioned server.
Systems Affected: canada.caCSIS website
Data Compromised: Personal, Confidential
Data Compromised: Name, Person record identifier (pri), Date of birth, Home address, Salary range
Data Compromised: Name, Person record identifier (pri), Date of birth, Home address, Salary range
Data Compromised: Software bugs, Security plans, Server passwords, Official internet domains, Conference calls, Event-planning system details
Systems Affected: Trello boards
Data Compromised: Licence plates, Related information
Brand Reputation Impact: Potential (under review)
Legal Liabilities: Under review by the Office of the Privacy Commissioner of Canada and Maine attorney general
Identity Theft Risk: Potential (personal information of Canadians affected)
Systems Affected: Cloud-based software provider (third-party)
Operational Impact: Potential disruption to transportation safety, security, and operational efficiency (mitigated)
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal, Confidential, , Personal Information, , Name, Person Record Identifier (Pri), Date Of Birth, Home Address, Salary Range, , Software Bugs, Security Plans, Server Passwords, Official Internet Domains, Conference Calls, Event-Planning System Details, , Licence Plates, Related Information, and Personal information (details unspecified).
Entity Name: Canadian Government
Entity Type: Government
Industry: Public Sector
Location: Canada
Entity Name: Canada Revenue Agency
Entity Type: Government
Industry: Public Sector
Location: Canada
Customers Affected: 80000
Entity Name: Infrastructure Canada
Entity Type: Government Agency
Industry: Public Services
Location: Canada
Size: 227 employees affected
Entity Name: Infrastructure Canada
Entity Type: Government Agency
Industry: Government
Size: 227 employees
Entity Name: Government of Canada
Entity Type: Government
Industry: Public Sector
Location: Canada
Entity Name: Canada Border Services Agency
Entity Type: Government Agency
Industry: Government
Location: Canada
Entity Name: Tiffany & Co.
Entity Type: Corporation
Industry: Luxury Jewelry/Retail
Location: CanadaUnited States
Entity Name: Transport Canada
Entity Type: Government Agency
Industry: Transportation / Aviation
Location: Canada
Entity Type: Cloud-Based Software Provider
Industry: Technology / Cloud Services
Law Enforcement Notified: Ottawa Police
Remediation Measures: Employees reminded of their obligation not to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service.
Incident Response Plan Activated: True
Remediation Measures: Under review by the Office of the Privacy Commissioner of Canada
Incident Response Plan Activated: True
Third Party Assistance: Federal Security Partners.
Remediation Measures: Collaboration with air operators to mitigate consequences
Third-Party Assistance: The company involves third-party assistance in incident response through Federal security partners, .
Type of Data Compromised: Personal, Confidential
Number of Records Exposed: 80000
Sensitivity of Data: High
Type of Data Compromised: Personal information
Number of Records Exposed: 227
Sensitivity of Data: Medium
Personally Identifiable Information: NamePerson Record Identifier (PRI)Date of BirthHome AddressSalary Range
Type of Data Compromised: Name, Person record identifier (pri), Date of birth, Home address, Salary range
Number of Records Exposed: 227
Sensitivity of Data: High
Personally Identifiable Information: NamePerson Record Identifier (PRI)Date of BirthHome Address
Type of Data Compromised: Software bugs, Security plans, Server passwords, Official internet domains, Conference calls, Event-planning system details
Sensitivity of Data: High
Type of Data Compromised: Licence plates, Related information
Number of Records Exposed: 1.38 million
Data Exfiltration: Yes
Personally Identifiable Information: Licence plate photos
Type of Data Compromised: Personal information (details unspecified)
Sensitivity of Data: High (personal information)
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Employees reminded of their obligation not to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service., , Under review by the Office of the Privacy Commissioner of Canada, Collaboration with air operators to mitigate consequences.
Legal Actions: Under review by the Office of the Privacy Commissioner of Canada and Maine attorney general
Regulatory Notifications: Office of the Privacy Commissioner of CanadaMaine attorney general
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Under review by the Office of the Privacy Commissioner of Canada and Maine attorney general.
Lessons Learned: Importance of applying adequate security controls to protect information and assets, and the need to avoid using unauthorized digital tools for sensitive information.
Lessons Learned: Ensure contracts include security safeguards for the protection and retention of personal information.
Recommendations: Ensure that all employees are trained on proper handling of sensitive information and that only authorized tools are used for communication and storage.
Key Lessons Learned: The key lessons learned from past incidents are Importance of applying adequate security controls to protect information and assets, and the need to avoid using unauthorized digital tools for sensitive information.Ensure contracts include security safeguards for the protection and retention of personal information.
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Ensure that all employees are trained on proper handling of sensitive information and that only authorized tools are used for communication and storage..
Source: Public Disclosure
Source: Office of the Privacy Commissioner of Canada (OPC) Breach Report
Source: Maine Attorney General Breach Letter
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Public Disclosure, and Source: The Canadian PressDate Accessed: 2025-09-17, and Source: Winnipeg Free PressDate Accessed: 2025-09-17, and Source: Office of the Privacy Commissioner of Canada (OPC) Breach Report, and Source: Maine Attorney General Breach Letter.
Investigation Status: Under review by the Office of the Privacy Commissioner of Canada
Investigation Status: Ongoing (collaboration with federal security partners and law enforcement)
Stakeholder Advisories: Transport Canada is working with air operators to mitigate potential consequences.
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: was Transport Canada is working with air operators to mitigate potential consequences..
Entry Point: Unpatched and decommissioned server
Root Causes: Misconfiguration of Trello boards leading to exposure of sensitive information.
Corrective Actions: Remind employees of their obligation not to communicate or store sensitive information on unauthorized digital tools.
Root Causes: Lack of security safeguards in the contract; Unpatched and decommissioned server
Corrective Actions: Mitigation efforts to prevent similar incidents in the future
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Federal Security Partners, .
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Remind employees of their obligation not to communicate or store sensitive information on unauthorized digital tools., Mitigation efforts to prevent similar incidents in the future.
Last Attacking Group: The attacking group in the last incident were an Anonymous and Unspecified bad actors.
Most Recent Incident Detected: The most recent incident detected was on 2023-08-20.
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-09-17.
Most Significant Data Compromised: The most significant data compromised in an incident were Personal, Confidential, , Name, Person Record Identifier (PRI), Date of Birth, Home Address, Salary Range, , Name, Person Record Identifier (PRI), Date of Birth, Home Address, Salary Range, , software bugs, security plans, server passwords, official internet domains, conference calls, event-planning system details, , Licence plates, Related information, and .
Most Significant System Affected: The most significant system affected in an incident was canada.caCSIS website and Trello boards and Cloud-based software provider (third-party).
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was federal security partners, .
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Name, Person Record Identifier (PRI), security plans, conference calls, Licence plates, Confidential, Related information, software bugs, official internet domains, Personal, Home Address, Salary Range, event-planning system details, server passwords and Date of Birth.
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 1.4M.
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Under review by the Office of the Privacy Commissioner of Canada and Maine attorney general.
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Importance of applying adequate security controls to protect information and assets, and the need to avoid using unauthorized digital tools for sensitive information., Ensure contracts include security safeguards for the protection and retention of personal information.
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Ensure that all employees are trained on proper handling of sensitive information and that only authorized tools are used for communication and storage..
Most Recent Source: The most recent source of information about an incident are Winnipeg Free Press, The Canadian Press, Public Disclosure, Office of the Privacy Commissioner of Canada (OPC) Breach Report and Maine Attorney General Breach Letter.
Current Status of Most Recent Investigation: The current status of the most recent investigation is Under review by the Office of the Privacy Commissioner of Canada.
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Transport Canada is working with air operators to mitigate potential consequences., .
Most Recent Entry Point: The most recent entry point used by an initial access broker was an Unpatched and decommissioned server.
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Misconfiguration of Trello boards leading to exposure of sensitive information., Lack of security safeguards in the contract; Unpatched and decommissioned server.
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Remind employees of their obligation not to communicate or store sensitive information on unauthorized digital tools., Mitigation efforts to prevent similar incidents in the future.
.png)
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Get company history
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rapid