[BreachExchange] Victim of arson spree questions ICBC's handling of privacy breach

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 2 17:18:28 EST 2017


http://bc.ctvnews.ca/victim-of-arson-spree-questions-icbc-
s-handling-of-privacy-breach-1.3267296

Speaking publicly for the first time, the victim of a 2011 firebombing says
she still has concerns about the role an ICBC employee played in the attack.

Rhonda, who asked to be identified only by her first name, recalled the
fire in an exclusive interview with CTV News.

Her trailer was torched during a crime spree committed by Vincent Cheung,
who later pleaded guilty to charges stemming from 14 arsons and four
shootings that occurred between April 2011 and January 2012.

He was sentenced to 13 years and six months in prison. During sentencing,
the court heard the former lottery winner was a drug addict and had
paranoid delusions that prompted him to attack those with connections to
the Justice Institute.

The morning of the trailer fire, Rhonda woke up in the early hours to the
sound of someone banging on her door and screaming, "fire, fire!"

The fire department was on the way, but they managed to get the trailer
fire put out shortly before crews arrived. She said there were gas cans on
fire on the other side of their driveway.

Rhonda was sure it was an arson case, but before she found out why she'd
been targeted, she'd been told by the RCMP that those who'd been victims of
fires were also at risk of other violent attacks.

"It was absolutely ridiculous," Rhonda said of the level of fear her family
felt during that time.

They installed cameras at their house, and checked the footage any time
they heard a noise. She said her son, who was a teenager at the time,
wasn't allowed to be home alone during that time.

"For the first month after finding out that we could potentially be victims
again, we didn't even sit in our living room, because it was at the front
of the house," she said.

She said authorities told the family that any calls from their phone
numbers would be a priority for 911 operators, but she felt if they had to
call 911 it was already too late.

"You lived in fear. Any time there was noise at night, any weird cars
parked in front of your house… just waiting for that other shoe to drop,"
she said.

Six months after the fire, she found out it was part of a crime spree
targeting people who'd parked their vehicles at the Justice Institute of
B.C., and that Cheung had accessed her information by paying an ICBC
employee. That employee was fired but never charged.

When she found out about the breach, she said she felt shocked and then
angered. For half a year, they'd been driving in the same cars in the same
areas, so she felt there had been the potential for another incident.

Years later, Rhonda and her family are still angry with how ICBC handled
the breach that provided her attacker with her home address.

The trailer fire happened in June 2011, the employee was fired in August,
but she wasn't told about the breach by ICBC until December.

ICBC did two reviews, but told CTV News it could not release the findings
due to an ongoing police investigation and civil action.

A representative of the company said it has beefed up its system since the
incident, to better detect anyone accessing information when they shouldn't
be. They also introduced a new software that allows greater flexibility in
restricting access to clients' information.

"ICBC follows strict privacy and information security policy and
procedures," ICBC said in a statement.

"In fact, it was the integrity of our systems which allowed us to uncover
this clear breach of ICBC’s policies and procedures by the former employee."

Rhonda said she may sue ICBC, and a Vancouver lawyer is trying to get a
class action lawsuit certified.

"An employer can be liable for the illegal acts of its employees," lawyer
Guy Collette said.

There was a financial toll for victims who were forced to move, and an
emotional cost to the crimes.

And the 2011 breach was not ICBC's first to be investigated. Just two years
before Cheung's attacks started, the corporation reported to a trial judge
that a claims adjuster had looked up jurors' personal information in an
ICBC database and provided details to the defence in a personal injury case.

ICBC conducted an internal investigation and determined that there had been
five other incidents between 2000 and 2009.

The Office of the Information and Privacy Commissioner of B.C. conducted
its own investigation, and found that ICBC had policies in place to
prohibit jury checking, but that the policies hadn't prevented the breach.

In a report published in October 2009, the OIPC advised ICBC to "focus on
more specific training for claims adjusters and better communication and
awareness of ICBC's privacy policies."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170202/7151f31b/attachment.html>


More information about the BreachExchange mailing list