SkillsPEI privacy breach public disclosure timeline criticized

The PEI government’s response to a recent privacy breach is being criticized for the length of time it took to notify those who got caught up in it.

Personal information from more than 5,600 SkillsPEI clients was put at risk after an email was inadvertently sent to what was described as an “inaccurate address.”

A spokesperson for SkillsPEI said Monday, human error was to blame.

The breach happened June 13, but the province waited nearly a month to go public, including letting those affected know.

A privacy expert tells CTV News, the PEI government should have let people know much sooner.

“A month is way too long to wait,” Ontario’s former Privacy Commissioner tells CTV News. “Peoples’ information is already at risk the minute the breach takes place.”

Ann Cavoukian says government agencies should react quickly, because once the information is out there, in the hands of unauthorized parties, they can do anything with it.

A leading privacy expert, Cavoukian spent 17 years in the role of Information and Privacy Commissioner for Ontario beginning in 1997.

“Privacy is all about control, it’s about personal control relating to the use and disclosure of your personal information,” Cavoukian says. “This way, in terms of what happened here, you lose all control, and that’s why you have to act quickly, and try to regain some of that by bringing it to the attention of the individuals whose information was breached so that they can take some action.”

When asked earlier this week, the department refused to say where the email from SkillsPEI ended up.

On the day the privacy breach was announced, SkillsPEI Director Mary Hunter told CTV News, it wasn’t the result of a cyber hack or an employee clicking on a Phishing email.

Cavoukian says emails sent to the wrong address happen frequently, and the fallout can be swift.

“There are brilliant hackers out there who will slurp up personally identifiable data like this, take it, sell it, ransomware, hacking, steal the identity,” she says. “There’s all kinds of things you can do with it, and hackers are brilliant.”

The information at risk includes dates of birth, addresses, education and employment history.

Those impacted by the breach were set to receive a letter from the province as early as this week. CTV reached out to the PEI government Friday to see if this was done, but didn’t receive an answer.

The letter is expected to include information on how those impacted can access two years of free credit monitoring services through TransUnion of Canada.

Asked why it took almost a month for the privacy breach to be made public, SkillsPEI said the priority was to contain and mitigate any further potential risk.

“This involved bringing subject matter experts in and ensuring supports for impacted clients were in place so when they were notified through the letters, everything would be ready for them to access,” Vicki Tse, a Department of Workforce, Advanced Learning and Population spokesperson said Monday.

Among its priorities, SkillsPEI offers programs and services for job seekers, employers and organizations.

Other information that may have been put at risk includes: