The Edmontonians were able to see the personal data of other Brinks customers through their home security system — for months

Andrew Kopp is having trouble with the door sensor on his new Brinks home security system.

The Edmontonian—a systems architect for a telecommunications company and self-proclaimed gadget enthusiast—had added a bit of home security when, in October 2021, he signed a 36-month contract for the Brinks system.

But things took a strange turn when he called tech support to troubleshoot the tilting door sensor.

He told Go Public that he logged into his system's online portal "and that's when I realized I had a drop-down [menu] to select multiple addresses."

On the screen are about 100 other customer addresses.

Each mouse click reveals more information about other people: names, addresses, phone numbers, emergency contacts, and account payment history.

Kopp can even see specifics about other customers' home security systems, such as details of security equipment and the location of security zones within their home.

"My reaction, [it's] kind of crazy. I really don't feel that they're keeping other people's information," she said.

"I wonder if my data was compromised in the same way."

That's still not clear. While Kopp didn't see the details himself on screen, Brinks hasn't notified any customers affected by the leak, which went unfixed in months.

Brinks said no financial or banking data was included in the leak.

'Very serious' violation

But one expert said it was still a "very serious breach of privacy."

“Of course, this is also a breach of security,” said Ann Cavoukian, a three-term former Ontario privacy commissioner.

"This allows people to potentially enter your home and into your information online. Identity theft can occur."

Kopp assumed the breach would be fixed as soon as he discovered and reported it in early 2022. In April, he was surprised to find he still had access to the same drop-down menu with the same customer information.

He said he reported it again, waited a few more months, and called Brinks again in early July.

Kopp got a recording of the call. In it, he made it clear the matter needed improving: "I'm going to need a manager," he told the agent when he explained he could access other people's data.

"This is a huge customer information problem, which is why I need to speak to a manager."

He was promised a manager would call him back, but he received no response until Go Public started investigating.

"Nobody has contacted me about the data breach at all," he said.

It made Cavoukian "horrified".

"I am very angry because this kind of violation is not taken seriously, because it must be acted upon immediately," he said.

Brinks turned down a request for an interview from Go Public. In a statement, the company said the agent on July's call, who works for a third party, "did not follow proper protocols and procedures" when customers asked for issues to be escalated.

"We have strengthened our protocols and training with concerned representatives to ensure compliance with our escalation procedures."

It's unclear what happened after Kopp's earlier calls.

Brinks did not provide an explanation for the cause of the problem, although he did indicate that it was a glitch and not the result of a hack.

The company called it an "isolated issue" that leaked the data of "a small subset" of its customers. "No banking or financial information is visible," he said.

Brinks did not respond to Go Public's questions about how many Canadian customers were affected.

The company says sensitive data is visible to "less than 0.01% of Brinks' total customer base." Brink has approximately 900,000 home and commercial security customers according to the company's 2021 press release, which translates to around 90 customers.

Required to report
It wasn't until nearly two and a half months later, in mid-September, that Kopp noticed that it appeared to be fixed. He estimates that he can access other customer data for seven to ten months.
But Teresa Scassa, Canadian Research Chair in Information Law and Policy at the University of Ottawa, said that may not close the book on Brinks' liability.
"If a company becomes aware that a data security breach has occurred, then they have an obligation to report it to the Privacy Commissioner of Canada," he said.
Brinks did not answer Go Public's question whether he had notified the privacy commissioner. But Kopp did.
His official complaint is now being processed through the system. He also contacted the Office of the Information and Privacy Commissioner in Alberta.
The Alberta office told Go Public they would be contacting Brinks "to remind them of their obligation to report to our offices and notify affected individuals."
Scassa said reporting to the federal privacy commissioner could also trigger a requirement to notify affected customers. He said companies with information breaches sometimes offer support such as credit monitoring services to reduce the risk for their customers and help defend against class action lawsuits they could face.

A company would ignore something like this at their own peril. There is no 'it didn't happen' if it did. If it does, you need to get out in front of it and fix it."
Brinks said that his own reviews with internal and external advisers concluded: "The viewable nature of the data does not require customer notification."
Kopp decided it was "inappropriate" for him to contact the customer. So Go Public called, contacted some of the people that came up on the Kopp portal.
No one was told by Brinks that anything had happened to their data, including Aimee Scott of Okanagan Falls, B.C.
"The thing that bothers me, or I think is a bit scary is the fact that I never heard from Brinks about it," Scott said.
Scott said he could understand a technical error, but he was not satisfied with what had been done.
"It's confusing. I mean, things happen. But I mean, reach out and let people know it happened and own up to it."
As for Kopp - he wonders if he actually got what he signed up for.
"That worries me because I pay a security company because I want security, and they can't protect my personal information, let alone anything else," he said. This article was written by EDUKASI CAMPUS. 

Post a Comment

Previous Post Next Post

Contact Form