Conservatives call for investigation into government data breaches that may have put Afghans in danger

·5 min read
Afghan civilians sit on the airport tarmac in Kabul as they wait for a chance to leave Afghanistan on August 16, 2021. (Wakil Kohsar/AFP/Getty Images - image credit)
Afghan civilians sit on the airport tarmac in Kabul as they wait for a chance to leave Afghanistan on August 16, 2021. (Wakil Kohsar/AFP/Getty Images - image credit)

The Conservatives have written to Privacy Commissioner Daniel Therrien to complain about a pattern of data breaches at Immigration, Refugees and Citizenship Canada (IRCC), CBC News has learned.

The complaint is in response to a string of misdirected emails last month that may have exposed hundreds of vulnerable Afghans to danger.

"The ramifications of this mistake have life-threatening consequences. This inexcusable data breach contained information about names, and in some cases, faces, of Afghans seeking refuge from a Taliban controlled Afghanistan, putting their lives in great danger," wrote Conservative immigration critic Jasraj Singh Hallan.

"It is imperative that an investigation be conducted into this alarming data breach, which challenges the credibility of the assertion made by Immigration, Refugees and Citizenship Canada that they maintain 'technological safeguards [to] ensure that client information is collected, stored and transmitted securely using encryption.'"

IRCC apologized to Afghan visa applicants

IRCC apologized for the leak to "several hundred" Afghans who had applied for visas. The leak took place after the Trudeau government promised it would accept 40,000 Afghans at risk because of their previous work as rights advocates, journalists, or members of the judiciary, or because they belong to religious and ethnic minorities targeted by the fundamentalist Taliban.

But the apology came in the form of a letter sent privately to those directly affected and signed by a public servant — IRCC director of client experience Anne Turmel.

"I offer you our sincere apology for our mistake and our assurance that we will do everything possible to ensure that it is not repeated," said the letter.

A similar leak by the U.K. government that exposed a smaller number of Afghan visa applicants was followed by a public acknowledgement of the error, an apology in Parliament by the minister responsible, an internal investigation and at least one suspension.

CBC News spoke to one Toronto man whose sister's name was among those inadvertently leaked by IRCC on December 18. He said he was "very disappointed" with the government's handling of the matter.

"Of course, I am worried most for my sister," he said, "but not only her. Some of these people may not even be aware of this, and I'm concerned for them too, just as a human being."

Conservatives allege a pattern of leaks

The Conservatives say that the most recent leak, while more dangerous than most, is only the latest in a series of leaks that averaged over three a day from the beginning of 2020 to March 18, 2021.

In his letter, Hallan cites the IRCC's answer to an "Inquiry of Ministry" — an official request for information that MPs can present in the House of Commons.

"Earlier this year, when I asked the Immigration Minister if the IRCC or CBSA had been affected by privacy breaches, he stated that there had been none," Hallan wrote.

"In fact, 1,793 privacy breaches occurred between 2020 and the time of my question, one of which led to more than 30,000 individuals' personal data being released."

IRCC's official answer listed 120 pages of data breaches. The most common type of breach reported by the department was "Improper disclosure: misdirected personal information" — the same kind of leak that affected the Afghans.

Most leaks not reported

While most of the leaks affected only a single individual, some affected much larger groups.

In many cases those affected were notified, while in others it's not clear they have been. In the overwhelming majority of cases, IRCC did not state that it had reported the error to the Privacy Commissioner or the RCMP.

IRCC said this was because "the vast majority of privacy breaches at IRCC are considered 'nonmaterial', which are low risk/impact (e.g., misdirected mail or email) and are dealt with internally.

"IRCC evaluates the level of risk based on Treasury Board of Canada Secretariat (TBS) Guidelines for Privacy Breaches, in determining whether or not a breach is deemed 'material' (involves sensitive personal information, and could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals). The Office of the Privacy Commissioner of Canada is only notified when 'material' privacy breaches occur."

IRCC did not explain how it defines "a large number of affected individuals." One breach that occurred on June 4, 2020 involved information belonging to 200 individuals. The Privacy Commissioner was not notified in that case.

The argument that misdirected mail amounts to a "low-risk" breach was called into question by the recent Afghan leak, which was of a kind sometimes known as a "reply all error" — in which an email is sent to a large group of recipients who can identify everyone else who received the same message.

The misdirected email messages caused panic in Afghanistan because they increased the risk of the Taliban identifying another 200 people corresponding with a foreign government and seeking to leave the country as potential enemies of the new regime.

"Action must be taken to address this unacceptable error," wrote Hallan. "Faced with the prospect of life or death, the privacy of Afghans seeking refuge cannot be an afterthought.

"I request that you take immediate action to determine the cause of this data breach, and to assure Canadians and the affected refugees abroad as to what actions will be taken to ensure that this will not occur again."