Cloud Hosting

PIPEDA Findings #2022-004

19 May 2022

In February 2020, the Office of the Privacy Commissioner of Canada (the OPC) became aware of media reports regarding a large-scale data breach MGM suffered in 2019. Not having received a breach report on the matter, the OPC engaged with MGM to obtain additional information about the breach and the involvement of any personal information belonging to Canadians.

After receiving confirmation that Canadian personal information was affected by the breach, considering the potential impact on Canadians who were affected but had not yet been notified of the breach, and considering the significant passage of time since MGMs confirmation of the breach, the Commissioner initiated a complaint to investigateFootnote 1 whether MGM had complied with its mandatory breach reporting obligations under PIPEDA.Footnote 2

Our investigation found that MGM contravened the mandatory breach reporting provisions of PIPEDA. While MGM determined that there was a breach of its security safeguards in the summer of 2019, MGM failed to promptly assess whether the breach posed a real risk of significant harm (RROSH) to affected Canadians. We found that the breach posed a RROSH and that MGM did not report the breach to the Privacy Commissioner or notify affected individuals as soon as feasible.

In response to recommendations by our Office, MGM agreed that it would make amendments to its privacy breach response framework or process by 30 June 2022, to ensure that where MGM learns of a breach that may involve personal information of Canadian residents: (a) MGM will promptly conduct a RROSH assessment, consistent with the OPCs published guidance; and if MGM determines that such a breach gives rise to a RROSH, MGM will, as soon as feasible (b) provide a report to the Privacy Commissioner, and (c) notify affected individuals.

We therefore find the matter to be well-founded and conditionally resolved.

Under subsection 11(2) of PIPEDA, the Commissioner may initiate a complaint if he is satisfied that there are reasonable grounds to investigate a matter under Part 1 of PIPEDA.

Return to footnote 1

PIPEDA s 10.1

Return to footnote 2

ZDNet, Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum, February 19, 2020; The New York Times, MGM Resorts Says Data Breach Exposed Some Guests Personal Information, February 19, 2020

Return to footnote 3

As discussed later in the report, the posting was removed from the hacker forum but later reappeared for sale on the dark web.

Return to footnote 4

Under subsection 11(2) of PIPEDA, the Commissioner may initiate a complaint if he is satisfied that there are reasonable grounds to investigate a matter under Part 1 of PIPEDA.

Return to footnote 5

PIPEDA s 10.1.

Return to footnote 6

Breach of Security Safeguards Regulations: SOR/2018-64.

Return to footnote 7

PIPEDA s 10.1(1).

Return to footnote 8

PIPEDA s 10.1(3).

Return to footnote 9

PIPEDA s 10.1(2) and s 10.1(6).

Return to footnote 10

An attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing, a specific usually well-known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts. See the Canadian Centre for Cyber Securitys glossary

Return to footnote 11

OPC, What you need to know about mandatory reporting of breaches of security safeguards (October 2018)

Return to footnote 12

Examples of OPCs published guidance: OPC, What you need to know about mandatory reporting of breaches of security safeguards (October 2018); and OPC, 2019 Breach record inspections (September 2020)

Return to footnote 13

Excerpt from:
PIPEDA Findings #2022-004: Investigation into MGM breach highlights how to assess risk, and need for timely assessment - Office of the Privacy...