SIN included in email attachment
February 3, 2023 1:16 PM Subscribe
Question for Canadians: Someone in our financial institution sent my partner an email (not secure) with an attached document that included their complete Social Insurance Number. The Government of Canada website says that if you have been affected by a data breach, contact Equifax and TransUnion to monitor your file, and regularly review your banking and credit card statements. Is there anything else we should do?
Are you certain it wasn't encrypted? There's headers you can check if you haven't already, at least in some cases. As a frame of reference, around 86% of recent inbound email to Gmail was encrypted.
Even if it weren't encrypted, an attacker would have to have to control one of the networks that it traveled through between the FI and your email provider in order to intercept it and the odds of a threat actor with that capability being interested in one random person's ID number is vanishingly small.
If you mean at rest rather than in transit, while it would mean someone at your email provider could see it, that's true but again, attackers with that kind of access tend to be working on something far more devious and significant than trying to pull out PII one random account at a time.
That said, if you happen to be in Quebec, you can now lock your credit report and if you're not you should contact your politicians and ask why they're not keeping up.
posted by Candleman at 6:21 PM on February 3, 2023
Even if it weren't encrypted, an attacker would have to have to control one of the networks that it traveled through between the FI and your email provider in order to intercept it and the odds of a threat actor with that capability being interested in one random person's ID number is vanishingly small.
If you mean at rest rather than in transit, while it would mean someone at your email provider could see it, that's true but again, attackers with that kind of access tend to be working on something far more devious and significant than trying to pull out PII one random account at a time.
That said, if you happen to be in Quebec, you can now lock your credit report and if you're not you should contact your politicians and ask why they're not keeping up.
posted by Candleman at 6:21 PM on February 3, 2023
I agree with Candleman that TLS is an excellent security measure (and it's definitely worth checking the email header as they suggest for peace of mind), but (as it appears you already know) encryption at rest is also important when dealing with sensitive data (after all, the sender can't ensure your email provider stores attachments securely). No organization should ever send you an email containing your SIN (or other information that could be used for identity fraud) without first asking you if it's okay to do so and encrypting the actual data so that only you can access it.
Many large organizations are aware of this (for example, the University of British Colombia requires that email attachments containing a SIN be encrypted; other large universities have similar publicly-documented policies), but, like you, I've encountered financial institutions that don't follow best practices in this respect.
If you haven't already, let the financial institution in question know that sending this kind of personal information via email without encrypting the actual data is a security risk. Try to get in touch with their security team (if they have one); I'd suggest emphasizing that the actions of the individual employee aren't the issue so much as a presumed systemic failure at the training/security level.
Some references that might be useful for this purpose:
Annex 6: Private sector dos and don'ts: requesting, collecting, using and storing the SIN of the Canadian Federal Government's Social Insurance Number (SIN) Code of Practice notes:
Finally, you may wish to report your concern to the OPC (although I doubt doing so would have much effect).
posted by CahootsMalone at 8:12 AM on February 4, 2023
Many large organizations are aware of this (for example, the University of British Colombia requires that email attachments containing a SIN be encrypted; other large universities have similar publicly-documented policies), but, like you, I've encountered financial institutions that don't follow best practices in this respect.
If you haven't already, let the financial institution in question know that sending this kind of personal information via email without encrypting the actual data is a security risk. Try to get in touch with their security team (if they have one); I'd suggest emphasizing that the actions of the individual employee aren't the issue so much as a presumed systemic failure at the training/security level.
Some references that might be useful for this purpose:
Annex 6: Private sector dos and don'ts: requesting, collecting, using and storing the SIN of the Canadian Federal Government's Social Insurance Number (SIN) Code of Practice notes:
- Don’t ask for a client’s personal information, and, above all, the SIN, via email
- Don’t put any client’s personal information on the Internet
The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may handle personal information — including the SIN — in the course of commercial activities.Time magazine published an article in 2016 entitled Why You Should Never Email a Social Security Number (which also applies to SINs and other sensitive info) that provides a good overview of the relevant security considerations. I sometimes use this article as a "don't take my word for it" reference when a person or organization is skeptical.
Finally, you may wish to report your concern to the OPC (although I doubt doing so would have much effect).
posted by CahootsMalone at 8:12 AM on February 4, 2023
Response by poster: Thanks, all! The email was encrypted, the financial institution has been advised and it looks as if the matter can be closed.
posted by Epixonti at 12:04 PM on February 5, 2023
posted by Epixonti at 12:04 PM on February 5, 2023
« Older What are some varied, free web fonts good for... | 100% cotton sweaters and cute. (Not too cute) Newer »
This thread is closed to new comments.
posted by flimflam at 5:07 PM on February 3, 2023 [5 favorites]