Theft of Vancouver rape crisis centre server containing sensitive data raises privacy concerns

Cybersecurity experts are warning of "significant" data privacy risks after a Vancouver rape crisis centre told clients and donors a computer server containing their sensitive personal information and banking details was stolen from its office last month.

The Dec. 3 break-in at Salal Sexual Violence Support Centre'snew office is under investigation, Vancouver police confirmed in an email to CBC News on Friday, and at least one woman who sought counselling at Salal saysshe is planning to filea complaint with B.C.'s privacy watchdog over the breach.

In a Dec. 23 emailobtained by CBC News, executive director Dalya Israel told Salal clients that a backup server with their waitlist and contact informationwasamong the items stolen from theoffice, which is currently being renovated.

"It is possible that your name, email address, telephone numbers, and notes about safety risks or what services you have requested could be released, sold and shared publicly," Israel wrote.

However, clients' individual files, case notes and medical informationwere not compromised because they are held on an encrypted third-party platform, she said.

The stolen server also contained donor bank account details and pictures of cheques including names, addresses, and phone numbers according to a separateemail to donors obtained by CBC News.

Credit card and debit card information from online donations is stored on an encrypted third-party platform and remains safe, Israel said.

"This was not a data 'hack,'" read heremail. "We do not believe that this break-in was targeted to destabilize Salal SVSC or the survivors that we serve."

Salal, a non-profit formerly called WAVAW Rape Crisis Centre, responded to 4,769 crisis calls and provided 1,304 individual counselling sessions between April 2021 and March 2022, according to its most recent annual report.

During that same time, it received more than $510,000 in donations from 3,454 individual donors,the report said.

Israel said Salalbelieves the risk of data being stolen or misused is low because accessing the data "requires sophisticated" IT knowledge,addingthatan independent privacy impact assessment estimated the risk as moderate.

"We are of course very concerned with anypossible data breach ... and we are doing everything we can to make sure that this cannot happen again," Israel wrote.

However it is still unclear how many people's data may have been compromised orhow vulnerable itmay be.

Israel declinedan interview request from CBC News on Friday.

In an emailed statement on Sunday, shedeclined to answerquestions about how the stolendata was stored"to protect the integrity of the investigation and information on the hardware."

Israel says the theft hasbeen "devastating" for Salal, and in her emails she noted the potential breach could be distressing or triggering for clients and donors.

"Our deepest commitment is to survivors and our community, and we know this has and will have a significant impact on them," she wrote to CBCNews.

Theft poses 'significant' risks: experts

Two cybersecurity experts say while it is good thatSalal informed clients and donors of the breach,the centre seems to bedownplaying the "significant" safety, financial and privacy risks the theft poses, potentially to thousands of people.

It appears Salal did not take basic steps to protect some of the sensitive data its work requires, said Ali Dehghantanha, Canada Research Chair in cybersecurity and threat intelligence at the University of Guelph.

If the data is not encrypted, it would be easy "for anyone to get access to this information," he said.

"I would not consider this as a low risk."

David Jao, a professor and member of the Cybersecurity and Privacy Institute at the University of Waterloo, saysit's easy to sell the stolen hardware to someonewho can gain access and use the data to drain bank accounts, commit fraud or conductphishing scams.

"It's hard to recall data once it's in bad hands," Jao said, noting any high-profile donors on the server could be prime targets.

The nature of Salal's work may also put clients' physical and mental safety at risk, Dehghantanhaadded.

"The very fact that you are a client of the centre is something private and sensitive for many people," he said.

One woman who says she is on Salal'swaitlist for counsellingtold CBC News she is planning to file a complaint with theOffice of the Information and Privacy CommissionerforB.C. (OIPC). CBC News agreed not to name her forprivacy reasons.

The OIPC declined to confirm if Salal had reported the theftor whether itis investigating any complaints about Salal, citing confidentialityin a Friday statement to CBC News.

"Organizations are strongly encouraged to report privacy breaches [to]the OIPC where there is a risk of significant harm to individuals," a spokesperson wrote, noting the watchdoghasa list ofresourcesfor victims of privacy breaches and identity theft.

WATCH | Tips to protect your data from hackers and scammers:

How to know if you've been hacked and what you can do to protect yourself

1 year ago

Duration 1:26

Data breaches, hacks and ransomware attacks seem to be in the news more often. But cybersecurity experts say there are helpful steps you can take to protect yourself in the wake of a data breach, and to prepare for the next time it happens.

Encryption not enough

Jao and Dehghantanha say this breach should be a wake-up call for Salal and other organizations working with vulnerable people to be proactive about data security.

Israel said the centrehas migrated its backup server to an encrypted cloud server and will be addingfurther "layers of safety"to its usual server, along with increased cameras and metal door guards in its new office.

Encryption and physical protection aregood first steps, said Jao, but ideally the data shouldbe divided up as well to minimize the impact of a potential breach.

"You should have multiple backups, and those backups should be completely separate and encrypted," said Jao.

Organizationsalso need to think twice about how much information they collect in the first place, he said, and clients should be wary of giving out personal details like birthdays without a good reason.

Dehghantanha said Salal clients and donors should change their passwords,activate two-factor authentication and report suspicious activity on their banking and personal accounts, while Jao stressed that donating online with a credit card is much more secure than using cheques.

Dehghantanha also encouraged those impacted to file complaints with the OIPCto have some recourse if their data is indeed used against them.

For anyone who has been sexually assaulted, there is support available through crisis lines and local support services via this Government of Canada website or the Ending Violence Association of Canada database. If you're in immediate danger or fear for your safety or that of others around you, please call 911.