An Edmonton man was able to view personal data of other Brinks customers for months through his home security system.

Andrew Kopp had a problem with the door sensor in his new Brinks home security system.

The Edmonton man, a systems architect for a telecommunications company and a self-described gadget enthusiast, was adding a touch of home security when he signed a 36-month contract for Brinks Systems in October 2021.

But when he contacted tech support to troubleshoot these erratic door sensors, things took a strange turn.

He noticed that Go Public had a dropdown when he signed into his system’s online portal. [menu] This is because we have a lot of addresses to choose from. ”

His screen displayed the addresses of about 100 other customers.

Each mouse click revealed more information about other people, including names, addresses, phone numbers, emergency contacts, and account payment history.

• Do you have a story you’d like to explore? Contact Carolyn and the Go Public team

Kopp was even able to display certain information about other customers’ home security systems, such as security device details and the location of security zones within their homes.

“My reaction was [this is] kinda crazy. I really don’t think they are protecting other people’s information,” he said.

“I wanted to know if my data had been compromised in the same way.”

it remains unclear. Kopp didn’t show his details on screen, while Brinks didn’t notify customers affected by the leak, and it remained unfixed for months.

Brinks said the leak did not contain any financial or banking data.

“Very Serious” Infringement

But one expert says it’s still a “very serious invasion of privacy”.

“Of course, it’s also a security breach,” said Ann Cavoukian, the former three-term privacy commissioner for Ontario.

“This can allow people to break into your home and information online. Identity theft can occur.”

After discovering and reporting it in early 2022, Kopp expected the breach to be remediated quickly. In April, he was surprised to find that he could still access the same dropdown menu with the same customer information.

He says he reported it again, waited a few more months, and called Brinks again in early July.

Kop recorded the call. In it, he clearly states that the matter needs to be escalated.

“This is a big issue with customer information, so I need to speak to my manager.”

He had been promised a manager would call him, but didn’t get a response until Go Public launched an investigation.

“No one contacted me about the data breach,” he says.

It makes Cavoukian “suck”.

“I am so upset that this kind of violation is not taken seriously when action must be taken immediately,” she said.

Brinks declined an interview request from Go Public. In his statement, the company said an agent working for a third party in a July call “did not follow proper protocols and procedures” when a customer asked to escalate the matter. Stated.

“Since then, we have stepped up our protocols and training with issue representatives to ensure compliance with our escalation procedures.”

It wasn’t clear what happened after Kopp’s earlier call.

Brinks didn’t provide an explanation as to what caused the problem, but indicated it was an error and not the result of a hack.

The company called it an “isolated issue” in which a “small subset” of customers’ data was leaked. “I didn’t see any banking or financial information,” he said.

Brinks did not respond to Go Public’s question about the number of Canadian customers affected.

According to the company, “less than 0.01% of Brinks’ total customer base” has access to sensitive data. According to a 2021 corporate press release, Brink has approximately 900,000 home and commercial security subscribers, which equates to approximately 90 customers.

Reporting obligation

It wasn’t until mid-September, nearly two and a half months later, that Kopp appeared to be fixed. He estimates that other customers’ data he had access to for 7-10 months.

But Teresa Scassa, chair of the Canadian Studies Committee for Information Law and Policy at the University of Ottawa, said this may not be the end of the book on Mr. Brinks’ duty.

“If a company is aware of a data security breach, it is obligated to report it to the Canadian Privacy Commissioner.

Brinks did not respond to Go Public’s question about whether it had notified the Privacy Commissioner. But Cop did.

His formal complaint is now going through the system. He also contacted his Commissioner’s Office for Alberta Information and Privacy.

The Alberta office told Go Public it will contact Brinks “to remind them of their obligation to report to our office and notify affected individuals.”

A report to the Federal Privacy Commission could also result in the need to notify affected customers, Scassa said. She said companies involved in data breaches may offer support, such as credit monitoring services, to reduce the risk to their customers and protect themselves from class action lawsuits they may face. .

“Companies will take responsibility for ignoring things like this. If it does happen, it doesn’t mean it didn’t happen.

Brinks concludes an independent review by in-house and outside counsel that “due to the nature of the visible data, no notice to customers was necessary.”

Kopp decided it was not “appropriate” to contact such customers. So Go Public called and contacted some of the people who showed up at Kop’s portal.

No one, including Amy Scott of Okanagan Falls, B.C., was notified by Brinks that anything had happened to Data.

“What bothered me, or I think was a little unsettling, is the fact that I had never heard of it from Brinks,” said Scott.

Scott said he understood the technical issues, but not enough.

“It’s embarrassing. I mean things happen. But I mean reaching out and letting people know it happened and acknowledging it.”

As for Kopp, he wonders if he’s really getting what he signed up for.

“I’m worried because I wanted security and paid for a security company. They can’t protect my personal information and they don’t care about anything else,” he said.