The Sault Ste. Marie Police Services (the police) reported to the Office of the Information and Privacy Commissioner of Ontario that their network servers were infected with ransomware and that, as a result, records of personal information stored on data drives on the servers were encrypted.
In response, the police took steps to contain, investigate, remediate and inform local residents about the ransomware attack. However, the police did not believe that the attack resulted in a privacy breach because their investigation determined that the information was encrypted in place, and neither obtained or exfiltrated by the threat actor.
In this report, I find that the threat actor’s encryption of the data drives affected the personal information stored on them by making this information inaccessible to the police. I also find that the ransomware attack resulted in an unauthorized use of personal information and, therefore, a privacy breach under the Municipal Freedom of Information and Protection of Privacy Act.
I am satisfied with the steps taken by the police to contain the breach. Although the police informed the public of the breach through a press release issued at the time of the ransomware attack, I find that there would be no useful purpose in deciding whether they should renotify affected individuals given the passage of time since the breach. I am not entirely satisfied with the police’s investigative and remedial steps because they have not reviewed their policies and practices in protecting personal information. As such, I find that the police have not responded adequately to the breach and recommend that they conduct this review.
Further, it appears that the police understand the nature of their information holdings, the threats posed by ransomware attacks and the steps required to mitigate these attacks. However, despite requests, the police did not provide this office with materials relating to their privacy training practices and, therefore, I could not evaluate the reasonableness of these practices which are important for reducing the risk of a threat actor gaining unauthorized access to an institution’s records. Because of this, I am not satisfied that the police haves reasonable measures in place to prevent unauthorized access to records as required by section 3(1) of Regulation 823 under MFIPPA (security of records) and recommend that they ensure that their training materials comply with this section.