Background
The Edmonton Humane Society (EHS) has notified the Alberta Office of the Information and Privacy Commissioner about an unintentional disclosure of personal information that occurred at the not-for-profit organization.
Between October 2017-February 2018, the private financial information for at least five participants of EHS’ PALS (Prevent Another Litter Subsidy) Program who signed up online, was accidentally posted on the organization’s corporate website for a short period of time.
At no time was the information of EHS donors, customers, volunteers, employees or adoption clients ever jeopardized because those details are stored on a separate server that wasn’t affected by the software malfunction.
Below is additional information for the PALS clients potentially affected. You may also click on the links below to jump to each section.
Letter from Board of Directors
November 20, 2018
Dear Edmonton Humane Society Supporter,
Earlier today, the Edmonton Humane Society (EHS) notified the Alberta Office of the Information and Privacy Commissioner that financial information belonging to PALS program clients may have accidentally been shown online.
Between October 2017-February 2018, the private financial information for at least five participants of EHS’ PALS (Prevent Another Litter Subsidy) Program who signed up online, was accidently posted on our organization’s corporate website for a short period of time.
At no time was the information of EHS donors, customers, volunteers, employees or adoption clients ever jeopardized because those details are stored on a separate server that wasn’t affected by the software malfunction.
EHS deeply regrets this unintentional disclosure and is working hard to make it right. This was a major violation of our clients’ privacy, and we want to apologize to everyone who was impacted.
A preliminary investigation has found that a software malfunction led to the unintentional disclosure of personal information. While the investigation also found that at least five PALS program clients were impacted, we are notifying all 389 clients whose information was stored on the impacted server as a precaution.
During the time period in question, the private financial information, including bank statements, addresses and proof of income, for at least five PALS clients was accidently posted on our corporate website for a short period of time
To support the impacted clients, EHS has set up this dedicated website where we will post updates and information and a phone line to field questions. EHS will also be providing impacted clients a free credit check and one-year of credit monitoring services upon request.
EHS regrets not informing the Privacy Commissioner and affected individuals sooner. Because the RCMP contacted EHS when the unintentional disclosure occurred in early February after receiving a call from an impacted client, there was a misunderstanding by senior leadership at the time that our non-profit had no further legal disclosure obligations.
Our new interim CEO and Board of Directors first became aware of the incident in late October, and immediately got to work to fix the situation, including:
- Notifying all impacted clients and offering them a free credit check and one-year of credit monitoring services. We have also assigned one staff member to help affected clients with questions and complaints until the situation is resolved.
- Notifying the Alberta Office of the Information and Privacy Commissioner and the media.
- Hiring an external IT expert to independently investigate the information disclosure, recommend steps to safeguard our entire IT system and conduct a risk assessment.
- Hiring a new internal Privacy Officer in October.
- Offering all EHS staff privacy information training.
Please be assured that we will continue to do everything in our power to improve our security systems and protect all private information that has been entrusted to us. We promise to keep you apprised of any further developments. And if there is more we should be doing, let us know: we need to work together as a team and get this right.
We want to thank you again for your dedication to EHS and the compassion and professionalism you bring to our facility every day. If you have any questions or concerns, please to not hesitate to contact me.
Sincerely,
Summer Bradko
Chair of the Board of Directors
Q: Was my private financial information accessed?
A: All impacted individuals will be notified by written communication sent by mail only. In the meantime, we have set up a dedicated website and phone line, 780-229-2934, to assist the public. A preliminary investigation has found that the incident affected five PALS clients who uploaded their financial information to our website between October 2017 to February 2018. However, we are notifying all PALS clients who uploaded financial information to our website during that period just to be on the safe side.
Q: How many people have been impacted?
A: While a preliminary EHS investigation has found that five PALS program clients were impacted, we have notified all 389 clients whose information was stored on the impacted server as a precaution.
Q: What information has been compromised?
A: Personal information collected for EHS’s PALS (Prevent Another Litter Subsidy) Program, which is designed to assist low-income Edmonton residents spay or neuter animals in their immediate care. At the time, clients applying online needed to upload financial information to be eligible for the financial subsidy. Information that could have been involved, includes: T-4 slips, banking information, social insurance numbers, dates of birth, names, addresses, phone numbers, email addresses and employment information.
Q: Was the personal information of any other EHS donors, clients, volunteers and/or employees unintentionally shared?
A: No. It is important to note that at no time was the private information of our employees, animal adoption clients or donors impacted because those details are stored on a separate server that wasn’t affected by the software malfunction.
Q: Who is responsible for this information disclosure?
A: A preliminary investigation has found that this incident is linked to a software malfunction that was identified and fixed on February 28, 2018.
Q: How did this information disclosure happen?
A: Between Oct. 2017-Feb. 2018, a software malfunction led to stored client data being accidentally displayed on EHS’s website for a short period of time. PDF images of financial information provided by individuals in online applications for our PALS program would be randomly displayed on the website when one attempted to click on photos of shelter animals available for adoption. As the website would connect to the server and refresh every 30 minutes, the images would change every 30 minutes. On some occasions the website would properly direct to an animal profile, but on other occasions, it would show a new piece of sensitive financial information from a client. The website did not at any point allow access to the database of client information or to the server that stored the client information. EHS’s Privacy Officer and IT officials worked for several weeks to track down the problem. The server where the private client info was stored was eventually decommissioned by the end of February 2018 and destroyed.
Q: Have the police been involved?
A: Yes. In February 2018, the RCMP contacted EHS to let them know an impacted client had reached out to them to complain. Unfortunately, because the RCMP investigated the incident in early February, there was a misunderstanding by senior managers at the time that EHS had no further disclosure obligations.
Q: When will EHS be contacting impacted clients?
A: EHS will be contacting all impacted affected clients by mail. Letters were sent starting on Monday, Nov. 19, 2018. Please contact X if you are concerned you are affected but have not received a letter from our organization by Monday, Nov. 26. We will not be contacting people via email or phone. If you receive a phone call or email from EHS on this matter please call us immediately at 780-229-2934 to double check any suspicious activity.
Q: What do I need to do if I was impacted by this incident?
A: If you receive communication by mail from EHS concerning the disclosure of your personal information, please contact Evan Lawlor with the Edmonton Humane Society at 780-229-2934 to discuss next steps.
Q: How is EHS helping me?
A: Please be assured that EHS is working hard to help impacted clients, including assigning at least one staff member to field questions and concerns until the matter is resolved. All impacted clients will also receive instructions on how to sign up for a free credit check and one-year of credit monitoring services.
Q: How long will EHS help impacted clients?
A: We are committed to helping impacted clients until we are confident client financial information isn’t at risk of being exploited. We have promised to make this right. These clients shared their data with us in good faith and we take that responsibility very seriously.
Q: If I choose to purchase credit monitoring and repair services immediately, will EHS reimburse me?
A: No. EHS will be recommending free credit monitoring and identity protection services with our contracted vendor. EHS will not reimburse you for services that you purchase independently.
Q: How do I access the credit monitoring that EHS has offered to impacted clients?
A: Impacted clients will receive instructions by mail advising them about the protections offered and how to sign up for them. The information will also be posted on our dedicated website.
Q: I received a call related to the potential information disclosure at EHS. They asked me for my personal information. What should I do?
A: Please do not provide personal information over the phone. EHS will NOT be calling or emailing impacted individuals regarding this incident. In order to protect your privacy, we will be contacting impacted individuals by mail. We will NOT be asking for credit card information or member/social insurance numbers over the phone. If you have been a victim of a crime related to this incident, please inform the Canadian Anti-Fraud Centre at: http://www.antifraudcentre-
Q: I think I received a suspicious email related to EHS’s information disclosure? What should I do?
A: Please do not provide personal information to unauthorized individuals by e-mail. In order to protect your privacy, EHS will NOT be e-mailing clients regarding this information disclosure. We will only be contacting impacted individuals by mail.
Q: Why did it take EHS so long to report this information disclosure to impacted clients and the Privacy Commissioner?
A: Unfortunately, because the RCMP were asked to look into the incident in early February, there was a misunderstanding by senior managers at the time that EHS had no further legal disclosure obligations. Our new interim CEO discovered the error late last month and then alerted EHS’s Board of Directors.
Q: How is EHS safeguarding private information going forward?
A: We have hired an external IT firm to probe our entire IT system. We hope the risk assessment and investigation helps us close up an outstanding weaknesses that may still exist. Guarding our clients and employees’ data is important to us; we promise that this incident will never happen again. We have also hired a new Privacy Officer in October. We also plan on offering all EHS employees training on how to handle private information.
To discuss next steps, please contact Evan Lawlor, Edmonton Humane Society, at 780-229-2934.
