Cybersecurity experts are warning of “significant” data privacy risks after a Vancouver rape crisis centre told clients and donors a computer server containing their sensitive personal information and banking details was stolen from its office last month.
The Dec. 3 break-in at Salal Sexual Violence Support Centre’s new downtown office is under investigation, Vancouver police confirmed in an email to CBC News on Friday, and at least one woman who sought counselling at Salal says she is planning to file a complaint with B.C.’s privacy watchdog over the breach.
In a Dec. 23 email obtained by CBC News, executive director Dalya Israel told Salal clients that a backup server with their waitlist and contact information was among the items stolen from the office, which is currently being renovated.
“It is possible that your name, email address, telephone numbers, and notes about safety risks or what services you have requested could be released, sold and shared publicly,” Israel wrote.
However, clients’ individual files, case notes and medical information were not compromised because they are held on an encrypted third-party platform, she said.
The stolen server also contained donor bank account details and pictures of cheques — including names, addresses, and phone numbers — according to a separate email to donors obtained by CBC News.
Credit card and debit card information from online donations is stored on an encrypted third-party platform and remains safe, Israel said.
“This was not a data ‘hack,'” read her email. “We do not believe that this break-in was targeted to destabilize Salal SVSC or the survivors that we serve.”
Salal, a non-profit formerly called WAVAW Rape Crisis Centre, responded to 4,769 crisis calls and provided 1,304 individual counselling sessions between April 2021 and March 2022, according to its most recent annual report.
During that same time, it received more than $510,000 in donations from 3,454 individual donors, the report said.
Israel said Salal believes the risk of data being stolen or misused is low because accessing the data “requires sophisticated” IT knowledge, adding that an independent privacy impact assessment estimated the risk as moderate.
“We are of course very concerned with any possible data breach … and we are doing everything we can to make sure that this cannot happen again,” Israel wrote.
However it is still unclear how many people’s data may have been compromised or how vulnerable it may be.
Israel declined an interview request from CBC News on Friday.
In an emailed statement on Sunday, she declined to answer questions about how the stolen data was stored “to protect the integrity of the investigation and information on the hardware.”
Israel says the theft has been “devastating” for Salal, and in her emails she noted the potential breach could be distressing or triggering for clients and donors.
“Our deepest commitment is to survivors and our community, and we know this has and will have a significant impact on them,” she wrote to CBC News.
Theft poses ‘significant’ risks: experts
Two cybersecurity experts say while it is good that Salal informed clients and donors of the breach, the centre seems to be downplaying the “significant” safety, financial and privacy risks the theft poses, potentially to thousands of people.
It appears Salal did not take basic steps to protect some of the sensitive data its work requires, said Ali Dehghantanha, Canada Research Chair in cybersecurity and threat intelligence at the University of Guelph.
If the data is not encrypted, it would be easy “for anyone to get access to this information,” he said.
“I would not consider this as a low risk.”
David Jao, a professor and member of the Cybersecurity and Privacy Institute at the University of Waterloo, says it’s easy to sell the stolen hardware to someone who can gain access and use the data to drain bank accounts, commit fraud or conduct phishing scams.
“It’s hard to recall data once it’s in bad hands,” Jao said, noting any high-profile donors on the server could be prime targets.
The nature of Salal’s work may also put clients’ physical and mental safety at risk, Dehghantanha added.
“The very fact that you are a client of the centre is something private and sensitive for many people,” he said.
One woman who says she is on Salal’s waitlist for counselling told CBC News she is planning to file a complaint with the Office of the Information and Privacy Commissioner for B.C. (OIPC). CBC News agreed not to name her for privacy reasons.
The OIPC declined to confirm if Salal had reported the theft or whether it is investigating any complaints about Salal, citing confidentiality in a Friday statement to CBC News.
“Organizations are strongly encouraged to report privacy breaches [to] the OIPC where there is a risk of significant harm to individuals,” a spokesperson wrote, noting the watchdog has a list of resources for victims of privacy breaches and identity theft.
Encryption not enough
Jao and Dehghantanha say this breach should be a wake-up call for Salal and other organizations working with vulnerable people to be proactive about data security.
Israel said the centre has migrated its backup server to an encrypted cloud server and will be adding further “layers of safety” to its usual server, along with increased cameras and metal door guards in its new office.
Encryption and physical protection are good first steps, said Jao, but ideally the data should be divided up as well to minimize the impact of a potential breach.
“You should have multiple backups, and those backups should be completely separate and encrypted,” said Jao.
Organizations also need to think twice about how much information they collect in the first place, he said, and clients should be wary of giving out personal details like birthdays without a good reason.
Dehghantanha said Salal clients and donors should change their passwords, activate two-factor authentication and report suspicious activity on their banking and personal accounts, while Jao stressed that donating online with a credit card is much more secure than using cheques.
Dehghantanha also encouraged those impacted to file complaints with the OIPC to have some recourse if their data is indeed used against them.
