OPC reveals 25 million Canadian accounts exposed to privacy breaches last year

The Office of the Privacy Commissioner of Canada’s new report also reveals increased concerned over AI tools.

More than twice as many accounts were affected by privacy breaches in the financial year 2023-2024, the Office of the Privacy Commissioner of Canada’s (OPC) new annual report shows. During the year, private-sector organizations reported 693 breaches of the OPC – affecting approximately 25 million Canadian accounts. That is more than double the 12 million accounts affected by 681 breached the previous year.

Most breaches of the Personal Information Protection and Electronic Documents Act (PIPEDA), affected companies within the financial sector (25%), followed by telecommunications (17%). Third-party service providers, especially IT and software providers, were also targeted more frequently than before.

Of all the breaches, almost half (321) were reported as cyberattacks, an increase of 13% on the 278 cyberattacks in FY 2022-2023.

The OPC says that it is seeing an increase in both “the scale and complexity of breaches, as well as the increasingly sophisticated nature of threat actors, including state sanctioned ones and those emanating from organized crime.”

The OPC still fears that many breaches go unreported, especially by small and medium-sized enterprises that represent close to 90% of all business in Canada.

Graphic: Martina Lindberg

AI concerns

The report, Trust, innovation, and protecting the fundamental right to privacy in the digital age, also discloses increasing concern about AI developments. In 2023, 25% of Canadians believed that AI tools are bad for society – that figure has now risen to 32%. And 81% have privacy concerns about AI.

The majority, over 90%, also say that AI development should be guided by ethical principles, and 78% believe its use should be regulated.

Most organizations surveyed (91%) also declared that they need to do more to reassure customers on how their data is being processed with AI.

Decrease in complaints

During the year, the OPC also received a total of 1,113 complaints under the Privacy Act. That is a 10% decrease from 1,241 complaints the before. More than half of the complaints (603) were ‘time-limits complaints’ – related to the length of time that institutions took to respond to personal information access requests.

Further details showed 30% related to the application of exemptions to withhold requested information or allegations of missing records, and 16% around allegations of unauthorized collection, use, and disclosure of personal information.

The OPC also received 561 privacy breach reports from federal institutions, where the majority related to loss or misplacement of records that contain personal information (68%). The second most common breach was unauthorized access (16%).

“As the world embraces the digital age and opportunities, we must ensure that it does so in a privacy-protective way.”

Philippe Dufresne, Privacy Commissioner

Just as in 2022-2023, most complaints were connected to the Royal Canadian Mounted Police (266), and the Correctional Service Canada (201). Immigration, Refugees and Citizenship Canada had the third most complaints (110), followed by the Canada Border Services Agency (103), and the Department of National Defence (78).

Top institutions by complaints acceptedNumber
Royal Canadian Mounted Police 266
Correctional Service Canada201
Immigration, Refugees and Citizenship Canada 110
Canada Border Services Agency103
National Defence78
Canada Revenue Agency76
Employment and Social Development Canada32
Canadian Security Intelligence Service 2323
Global Affairs Canada21
Transport Canada20
Canada Post Corporation 2020

Three-year priorities

In January 2024, Privacy Commissioner Philippe Dufresne launched A roadmap for trust, innovation and protecting the fundamental right to privacy in the digital age – a strategic plan for the OPC for the upcoming three years. The OPC says that “these priorities focus on issues where the OPC can have the greatest impact, and where the greatest risks lie if they are not addressed”. These include:

  • protecting and promoting privacy with maximum impact;
  • addressing and advocating for privacy in this time of technological change; and
  • championing children’s rights.

“Personal information is increasingly sought after in the digital age and protecting privacy has become one of the paramount challenges of our time,” said Dufresne.

“Just as data is used to fuel innovation, innovation must also be used to protect data. As the world embraces the digital age and opportunities, we must ensure that it does so in a privacy-protective way.”