Inside the guard.me data breach
Thousands of KPU students may have had personal health and financial information exposed
As many international students across the country were made aware in early August, Canada-based medical insurance company guard.me was hacked twice this year on May 12 and June 18.
According to the company, an unauthorized third-party illegally breached guard.me’s computer network and accessed personal identifiable information, personal health data, and potentially financial information, reads their website.
Information that hackers may have obtained ranges from well-known data such as names, dates of birth, and email addresses to more sensitive information like health data used for processing claims and banking information for electronic fund transfers.
Navnoor Singh, a third-year KPU student in the computer information systems program, is one of the students concerned about the breaches. Singh received an email from guard.me on Aug. 6 through his KPU email account, which was almost three months after the first hack occurred, and over a month after the second.
Singh says he’s received random spam emails and calls almost daily after receiving the email from guard.me about the breaches. Although he’s unsure if it’s a coincidence or intentional, Singh feels concerned about his information being leaked to unknown sources.
“I felt weird because I usually ignore emails from guard.me. But this was big because [they] talked about privacy and your data security,” says Singh. “‘We do not know the nature or the extent of the breach or whether it has a serious impact or not.’”
“I’m disappointed in KPU because I expected a better reaction because it’s such a big data breach,” he says.
There are thousands of international students enrolled in courses at KPU, and Singh says he wished the school did a better job of explaining the situation to students.
KPU is not the only school where students have been affected by the two data breaches this year. The University of Victoria, Simon Fraser University, and BCIT are a few of the post-secondary institutions affected in the Lower Mainland.
Niagara College, Centennial College, and the University of Guelph are other post-secondary schools affected across the country. guard.me notified each post-secondary institution about the breaches on various dates between July 22 and Aug. 10.
According to the University of Guelph, students who had travel insurance from guard.me between Sept. 2007 to June 2021 may be at risk of having some of their personal information exposed due to the breaches. Other programs like the keep.meSAFE mental wellness student support program and student health and dental insurance plans provided by Gallivan through guard.me were not affected. U of G said affected current and former students should receive a message directly from guard.me.
SFU said in their customer notice that it could take several weeks for all students to be notified due to the high volume of those who were affected.
When Singh told his friends about the breach, he felt they didn’t understand the scope of the incident and what data hackers could be collecting.
Karthik Pattabiraman, an instructor of electrical and computer engineering at the University of British Columbia, says there are two main ways that breaches occur: social engineering attacks and backdoor attacks.
He says engineering attacks are when an employee or someone affiliated with the organization clicks on a link or opens an email sent by a malicious person. After the employee does this, their account credentials automatically get taken over by the hacker, and they are able to get into the system.
A backdoor attack is when hackers avoid the normal authentication process to access a system or network. A hacker will usually install malware — a term for harmful software programs designed to damage or exploit a service, network, or programmable device — and get a foothold into a specific system.
Based on his experience, Pattabiraman says he has seen more of the social engineering attacks because they are easier for the hacker to gain entry into the system.
“Unfortunately, many of us, when we use these services, trust them completely with our personal data. The problem is that in some instances, they collect data that can reveal details about our lives that we don’t want to be made public,” says Pattabiraman.
“When a breach occurs, all this data falls into the attackers’ hands, and they can really do whatever they want with it. Even to the extent of extorting money or blackmailing organizations, and so on.”
Although Pattabiraman says he’s unsure why attackers would target a medical insurance company, he says it may be because the company holds confidential medical information that they believe could either be used to extort people or be sold on the market to unscrupulous actors.
The HIPAA Journal, a site that reports on healthcare and insurance data breaches, conducted a study earlier this year stating that the breaches have become more common over the past 10 years.
Last year, the United States saw more data breaches than any other year reported, with the average number being almost two per day. Between 2009 and 2020, 3,705 healthcare data breaches of 500 or more records have been reported to the HHS Office for Civil Rights in the United States.
Canada has also seen an increase in healthcare data breaches, such as the LifeLabs hack in British Columbia, and three incidents that occurred at three different Ontario hospitals in 2019.
In addition to obtaining confidential medical information, the pandemic could also be a factor for why hackers would see medical insurance companies like guard.me as a target.
“More of us are working from home, and what that means is a lot of resources that were primarily restricted to on-premise workers are now being made available online like system databases with sensitive information, and so on,” Pattabiraman says.
“Attackers can eavesdrop on these meetings and learn confidential details, and once these details are known to the attacker, they can attack the system almost like an insider with very little data.”
As protecting information is becoming more of a challenge because of the pandemic, Carole St. Laurent, associate vice president international at KPU, says she feels confident in continuing the use of guard.me for students due to their response to the breaches.
guard.me reached out to KPU near the end of June to inform the school about the attacks, and St. Laurent says the company has maintained a student-centred approach in helping those who are potentially at risk.
St. Laurent says KPU decided to have guard.me inform the students who were affected by email to ensure they were getting the proper support they needed. After St. Laurent was informed about the breach, KPU reported the breach to the Office of the Information Privacy Commissioner of B.C.
In mid-July, guard.me informed KPU of more details about the breach. By Aug. 9, St. Laurent says guard.me sent out notifications to all affected students at KPU.
For additional protection, guard.me has also reported the breaches to the Canadian Centre for Cyber Security, the Privacy Commissioner of Canada, the U.K. Information Commissioner’s Office, and other authorities.
“It’s very unfortunate that these things happen,” says St. Laurent. “It’s important that students feel that this was taken seriously by KPU and guard.me and we work together and find a way to address all students’ questions and concerns, helping them alleviate any further risk.”
She says KPU, unlike other B.C. universities, is not planning on posting on their website because each affected student was already contacted directly by guard.me.
“The number one point is they reached out to students and students had an opportunity to reach out to them to ask any questions and express any concerns. That line of communication was open to all the students, so they weren’t left out in the dark,” says St. Laurent.
While guard.me reached out to KPU, Singh tried to contact them, but says he didn’t receive a response.
Representatives for guard.me who are involved in the privacy data breaches also did not respond to The Runner’s requests for comment.
Steve Wilson, cybercrime and digital investigator and an instructor at BCIT, says it’s important for people to be aware of breaches because anyone can be a target for cybercrime.
In 2019, BCIT was the first post-secondary institution in Canada to launch a program in industrial network cyber security.
“Everything we do in our lives is being more and more connected to some type of digital media,” says Wilson. “As an individual, you have to understand how you’re using these devices that could potentially impact your life.”
Wilson says health insurance companies like guard.me are a prime target for hackers because “there’s usually a wealth of information,” such as people’s health records, insurance records, medications, and more.
“Imagine if you’re trying to get hired for an organization, but you had a bit of a medical history associated with drug use, or you had mental health issues, and you were taking medications for that,” he says.
“All of a sudden, that information is leaked. Imagine the potential consequences of how that could affect you moving forward and trying to apply for a job somewhere.”
In regards to the guard.me data breach, Wilson says the company offering credit monitoring services to individuals affected for the next year is good for protecting people.
“It’s really interesting how all of this has changed. Facebook had a substantial breach, but everybody still goes back to the platform. It’s becoming almost like white noise. It’s like, ‘Okay, it’s just something we deal with and is part of life now.'”
He says individuals can also protect themselves by attending information events about cyber security, checking their banking accounts for suspicious activity, avoid using the same password, and creating a two-factor authentication if possible, such as an additional passcode.
“It’s a little bit more cumbersome because you have to spend the next 30 seconds to log into your account, but it gives you that added layer of protection,” he adds.
Wilson encourages students to look into the annual cyber security awareness month, held for the entire month of October, to gain more information on how to protect yourself.
“From the post-secondary perspective, October cyber security awareness month is the best thing because it adds that gamification aspect to a lot of these learning opportunities.”
On BCIT’s website, people can take the Cyber Awareness Quiz to test their cyber security knowledge.
Moving forward from the guard.me breaches, Singh hopes KPU students will pressure the university to issue an official statement to outline the progress on addressing the issue, and clearly explain what can happen to the affected students’ data.
“Obviously, it’s done. The data is already out. Nobody can do anything about that,” says Singh.
“What students can do is demand answers, because they deserve that.”
Editor’s note: Navnoor Singh has contributed articles to The Runner in the past.