There’s a follow-up to a breach that I had described as one of the worst insider breaches at its time – because it put lives at serious risk and some victims were firebombed or shot at.
Mi-Jung Lee and Kendra Mangione recently interviewed one of the victims, who continues to have concerns about the handling of the breach. Here are parts of their reporting:
Six months after the fire, she found out it was part of a crime spree targeting people who’d parked their vehicles at the Justice Institute of B.C., and that Cheung had accessed her information by paying an ICBC employee. That employee was fired but never charged.
[…]
The trailer fire happened in June 2011, the employee was fired in August, but she wasn’t told about the breach by ICBC until December.
Read more on CTV News.
Given the emotional toll of the attack, and realizing that until someone gives you an explanation of what happened and how, I think I would agree with victims that this was too long a gap to notification. Can you imagine not understanding who attacked you and why, or how they got your information – and worrying for six months whether you were still at risk?
I do not know what ICBC’s explanation for the long delay to notification was, but in my opinion, they should have notified in August or as soon as they recognized that this was an insider breach.
UPDATE: The former employee has been arrested. I wonder if the victim speaking out yesterday and criticizing the handling of the breach prompted today’s action and announcement. And while the arrest is progress of sorts, there is still the issue of why ICBC took so many months to notify victims.