Edmonton man could see private data of other Brinks customers through his home security system — for months | CBC News

Andrew Kopp was having hassle with the door sensors on his new Brinks residence safety system.

The Edmonton man — a techniques architect for a telecommunications firm and self-professed gadget fanatic — had added slightly further residence safety when, in October 2021, he signed a 36-month contract for a Brinks system.

But issues took a wierd flip when he known as technical assist to troubleshoot these wonky door sensors. 

He advised Go Public he signed into his system’s on-line portal “and that’s when I noticed that I had a drop-down [menu] to select a whole bunch of addresses.” 

There on his display screen have been roughly 100 different clients’ addresses.

Every click on of the mouse revealed extra of another person’s info: title, tackle, cellphone quantity, emergency contacts and account cost historical past.

• Got a narrative you need investigated? Contact Carolyn and the Go Public group

Kopp might even view particular issues about different clients’ residence safety techniques, like safety gear particulars and places of safety zones inside their properties.

“My reaction is, [this is] kind of crazy. I really don’t feel that they’re safeguarding other people’s information,” he stated. 

“I wanted to know whether my data was compromised in the same way.” 

That stays unclear. Though Kopp didn’t see his personal particulars on the display screen, Brinks has not notified any of the purchasers who have been affected by the leak, which went unfixed for months. 

Brinks says no monetary or banking knowledge was included within the leak. 

‘Very severe’ breach

But one professional says it was nonetheless a “very serious privacy breach.”

“Of course, it’s a breach of security as well,” stated Ann Cavoukian, a former three-term privateness commissioner of Ontario. 

“It allows people to potentially break into your home and into your information online. Identity theft could result.”

Kopp assumed the breach could be rapidly mounted after he found and reported it in early 2022. In April, he was shocked to seek out out he nonetheless had entry to the identical drop-down menu with the identical buyer info.

He says he reported it once more, waited a number of extra months, and known as Brinks but once more in early July. 

Kopp acquired a recording of that decision. In it, he clearly says the problem must be escalated: “I’m going to need a manager,” he advised the agent as he defined that he was in a position to entry others’ knowledge. 

“It’s a huge customer information problem, which is why I need to speak to a manager.”

He was promised a supervisor would name him again, however he acquired no response till Go Public started investigating.

“Nobody contacted me regarding a data breach at all,” he says.

That makes Cavoukian “cringe.”

“It just makes me so angry that this type of infringement isn’t taken seriously, as it should be immediately acted upon,” she stated. 

Brinks declined an interview request from Go Public. In a press release, the corporate stated the agent on the July name, who labored for a 3rd get together, “did not follow the proper protocols and procedures” for when a buyer asks for an issue to be escalated. 

“We have since reinforced our protocols and trainings with the representative in question to ensure compliance with our escalation procedures.”

It was not clear what occurred after any of Kopp’s earlier calls.

Brinks supplied no rationalization for the reason for the issue, although it indicated it was an error and never the results of a hack. 

The firm known as it an “isolated issue” that leaked the information of “a small subset” of its clients. “No banking or financial information was visible,” it stated. 

Brinks didn’t reply Go Public’s query of what number of of its Canadian clients have been affected.

The firm stated the delicate knowledge was seen to “less than .01% of Brinks total customer base.” Brink has some 900,000 residence and industrial safety subscribers in response to a 2021 company press launch, which works out to about 90 clients. 

Obliged to report

It wasn’t till virtually two and a half months later, in mid-September, that Kopp noticed that it appeared to be mounted. He estimates he was in a position to entry different clients’ knowledge for seven to 10 months.

But Teresa Scassa, Canada Research Chair in Information Law and Policy on the University of Ottawa, says that won’t shut the e book on Brinks’s obligations.

“If the company is aware that there’s been a data security breach, then they are obliged to report that to the Privacy Commissioner of Canada,” she stated. 

Brinks didn’t reply Go Public’s query whether or not it notified the privateness commissioner. But Kopp did.

His formal grievance is now making its manner via the system. He additionally contacted the Office of the Information and Privacy Commissioner in Alberta.

The Alberta workplace advised Go Public will probably be contacting Brinks “to remind them of their obligation to report to our office and notify affected individuals.” 

Scassa says reporting to the federal privateness commissioner may additionally set off a requirement to inform affected clients. She says firms with info breaches generally supply helps reminiscent of credit score monitoring providers to mitigate the chance to their clients and assist defend towards class-action lawsuits they might face.

“A company would ignore something like this at their own peril. There’s no ‘it didn’t happen’ if it did. If it did, you have to get out in front of it and fix it.”

Brinks stated that its personal overview with inside and exterior counsel concluded: “The nature of the data that was visible did not require a customer notification.”

Kopp determined it wasn’t “appropriate” for him to contact these clients. So Go Public made the calls, contacting a number of who had proven up on Kopp’s portal.

None had been notified by Brinks that something had occurred with their knowledge, together with Aimee Scott of Okanagan Falls, B.C.

“The thing that bothered me, or I guess was a bit unnerving is the fact that I never heard from Brinks about it,” Scott stated.

Scott says she’s in a position to perceive a technical glitch, however she’s not happy that sufficient was achieved.

“It’s disconcerting. I mean, things happen. But I mean, reach out and let people know that it’s happened and own up to it.” 

As for Kopp — he is questioning if he is actually getting what he signed up for.

“It worries me because I paid for a security company because I wanted security, and they can’t safeguard my personal information, never mind everything else,” he stated. 

WATCH | Kopp says he is now involved in regards to the safety of his private info: 

Online glitch allowed Edmonton man to see non-public knowledge of different Brinks clients

An Edmonton man says a web-based glitch gave him entry to the non-public info of dozens of Brinks Home Security clients. But when he tried to report the problem, nobody known as him again.