Andrew Kopp was having trouble with the door sensors on his new Brinks home security system. The Edmonton man — a systems architect for a telecommunications company and self-professed gadget enthusiast — had added a little extra home security when, in October 2021, he signed a 36-month contract for a Brinks system.
But things took a strange turn when he called technical support to troubleshoot those wonky door sensors. He told Go Public he signed into his system’s online portal “and that’s when I noticed that I had a drop-down [menu] to select a whole bunch of addresses.”
There on his screen were approximately 100 other customers’ addresses.
Every click of the mouse revealed more of someone else’s information: name, address, phone number, emergency contacts and account payment history. Kopp could even view specific things about other customers’ home security systems, like security equipment details and locations of security zones within their homes.
“My reaction is, [this is] kind of crazy. I really don’t feel that they’re safeguarding other people’s information,” he said. “I wanted to know whether my data was compromised in the same way.”
That remains unclear. Though Kopp did not see his own details on the screen, Brinks has not notified any of the customers who were affected by the leak, which went unfixed for months. Brinks says no financial or banking data was included in the leak.
‘Very serious’ breach
One expert says it was still a “very serious privacy breach.” “Of course, it’s a breach of security as well,” said Ann Cavoukian, a former three-term privacy commissioner of Ontario. “It allows people to potentially break into your home and into your information online. Identity theft could result.”
Kopp assumed the breach would be quickly fixed after he discovered and reported it in early 2022. In April, he was surprised to find out he still had access to the same drop-down menu with the same customer information. He says he reported it again, waited a few more months, and called Brinks yet again in early July.
Kopp got a recording of that call. In it, he clearly says the issue needs to be escalated: “I’m going to need a manager,” he told the agent as he explained that he was able to access others’ data. “It’s a huge customer information problem, which is why I need to speak to a manager.” He was promised a manager would call him back, but he got no response until Go Public began investigating.
“Nobody contacted me regarding a data breach at all,” he says.
That makes Cavoukian “cringe.” “It just makes me so angry that this type of infringement isn’t taken seriously, as it should be immediately acted upon,” she said.
Brinks declined an interview request from Go Public. In a statement, the company said the agent on the July call, who worked for a third party, “did not follow the proper protocols and procedures” for when a customer asks for a problem to be escalated. “We have since reinforced our protocols and trainings with the representative in question to ensure compliance with our escalation procedures.”
It was not clear what happened after any of Kopp’s previous calls. Brinks offered no explanation for the cause of the problem, though it indicated it was an error and not the result of a hack.
The company called it an “isolated issue” that leaked the data of “a small subset” of its customers. “No banking or financial information was visible,” it said.
Brinks did not answer Go Public’s question of how many of its customers were affected.
The company said the sensitive data was visible to “less than .01% of Brinks total customer base.” Brink has some 900,000 home and commercial security subscribers according to a 2021 corporate press release, which works out to about 90 customers.
Obliged to report
It wasn’t until almost two and a half months later, in mid-September, that Kopp saw that it seemed to be fixed. He estimates he was able to access other customers’ data for seven to ten months.
But Teresa Scassa, Canada Research Chair in Information Law and Policy at the University of Ottawa, says that may not close the book on Brinks’s obligations.
“If the company is aware that there’s been a data security breach, then they are obliged to report that to the Privacy Commissioner of Canada,” she said.
Brinks did not answer Go Public’s question whether it notified the privacy commissioner. But Kopp did.
His formal complaint is now making its way through the system. He also contacted the Office of the Information and Privacy Commissioner in Alberta. The Alberta office told Go Public it will be contacting Brinks “to remind them of their obligation to report to our office and notify affected individuals.”
Scassa says reporting to the federal privacy commissioner may also trigger a requirement to notify affected customers. She says companies with information breaches sometimes offer supports such as credit monitoring services to mitigate the risk to their customers and help defend against class-action lawsuits they could face.
“A company would ignore something like this at their own peril. There’s no ‘it didn’t happen’ if it did. If it did, you have to get out in front of it and fix it.”
Brinks said that its own review with internal and external counsel concluded: “The nature of the data that was visible did not require a customer notification.”
Kopp decided it wasn’t “appropriate” for him to contact those customers. So Go Public made the calls, contacting several who had shown up on Kopp’s portal. None had been notified by Brinks that anything had happened with their data, including Aimee Scott of Okanagan Falls, B.C.
“The thing that bothered me, or I guess was a bit unnerving is the fact that I never heard from Brinks about it,” Scott said.
Scott says she’s able to understand a technical glitch, but she’s not satisfied that enough was done. “It’s disconcerting. I mean, things happen. But I mean, reach out and let people know that it’s happened and own up to it.”
As for Kopp — he’s wondering if he’s really getting what he signed up for.
“It worries me because I paid for a security company because I wanted security, and they can’t safeguard my personal information, never mind everything else,” he said.
If you have a story in the public interest, or if you’re an insider with information, contact GoPublic@cbc.ca with your name, contact information and a brief summary. All emails are confidential until you decide to Go Public.
This content was originally published here.