Firearms data breach exposed 2.2 million Canadian gun owners, no full investigation launched

CALGARY — A 2021 cyberattack linked to Canada’s firearms licensing system exposed the personal information of approximately 2.2 million legal gun owners, making it the largest data breach reported by a federal institution in the past five years.Documents originally obtained by the Investigative Journalism Foundation (IJF) show the breach, which stemmed from a malware attack on a third-party contractor used by the Canadian Firearms Program, accounted for more than half of all individuals affected by federal data breaches reported to the Office of the Privacy Commissioner of Canada during that time period.In total, 3.7 million people were affected by federal data breaches over five years.Records obtained under access-to-information legislation show the breach was formally reported by the Royal Canadian Mounted Police (RCMP) to the privacy commissioner in September 2021, six months after the incident occurred.According to the RCMP, the force was notified on March 17, 2021, that a private company providing mailing services had been hit by a ransomware attack.Shortly afterward, the RCMP confirmed that the Canadian Firearms Program was among the contractor’s clients..BERNARDO: How Ottawa’s firearms agenda collides with daily life in Canada.Possession and acquisition licences for firearms and handguns were processed by paper mail at the time, meaning the affected data included names, addresses, and licensing information for lawful gun owners.Two days after the RCMP was notified, the Treasury Board Secretariat issued a statement on March 19, 2021, acknowledging a “possible ransomware attack” on an unnamed private company, but did not identify the RCMP, the firearms program, the contractor involved, or the scale of the breach.The statement also added that, “there is no indication that there has been any unauthorized disclosure of any personal information of Canadians handled by the company and originating from the Government of Canada.”In 2021, 2.2 million individuals — or 7.1% of Canada’s total population — held firearms licences, meaning all of the country’s legal gun owners were affected.Despite the scale of the incident, the Office of the Privacy Commissioner didn’t launch a full investigation, describing the 2.2 million figure as a “preliminary estimate” in response to the IJF..Famous firearms lawyer says Colt Canada could be involved in Ottawa’s gun grab program.In emails, the RCMP later acknowledged that while investigators found no evidence that data was viewed or extracted, “it is not possible to confirm that it was not accessed,” and that the response to the breach was led by the Treasury Board Secretariat and the Canadian Centre for Cyber Security, with the force conducting a three-month internal assessment alongside its privacy and firearms program teams.The RCMP maintains that affected clients were notified, though details of when and how those notifications occurred have not been fully disclosed.Government officials have declined to publicly identify the third-party contractor that was breached, however, contracting records show that R. E. Gilmore Investments Corp., operating as Docu-Link International Inc. of Kanata, Ontario, provided “communication activities,” including mailing services, for the Canadian Firearms Program, and, in a press release issued the same day as Treasury Board’s statement, said that it had experienced a ransomware attack seven days earlier.The company declined to comment to the IJF, citing client obligations.The RCMP has confirmed it still “uses this [unnamed] third-party’s services.”.Upon hearing the news, gun rights organizations, such as the Canadian Shooting Sports Association (CSSA), have accused the RCMP and the federal government of downplaying the severity of the breach.“[This was] a veritable Christmas wish list for criminals, and everyone responsible for it stayed quiet. This was not a minor IT mishap. It was a catastrophic failure of basic data stewardship,” the CSSA said.“Lawful firearms owners did everything required of them. In return, the Canadian government failed its most basic duty: to protect the data it demands from the people it regulates.”.Tom Mavin, director of Canada’s National Firearms Association, added that the same authorities who downplayed the massive security breach now “want gun owners to declare which newly banned firearms they possess, despite having already demonstrated they cannot be trusted to keep that data secure.”“Don’t expose yourself,” Mavin said.

Firearms data breach exposed 2.2 million Canadian gun owners, no full investigation launched

Related Stories