{"id":226443,"date":"2026-06-04T18:02:00","date_gmt":"2026-06-04T22:02:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/04\/manitoba-ombudsman-blasts-families-department-for-lack-of-cybersecurity-safeguards-after-2024-hack\/"},"modified":"2026-06-05T00:10:15","modified_gmt":"2026-06-05T04:10:15","slug":"manitoba-ombudsman-blasts-families-department-for-lack-of-cybersecurity-safeguards-after-2024-hack","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/04\/manitoba-ombudsman-blasts-families-department-for-lack-of-cybersecurity-safeguards-after-2024-hack\/","title":{"rendered":"Manitoba ombudsman blasts families department for lack of cybersecurity safeguards after 2024 hack"},"content":{"rendered":"<p><a href=\"https:\/\/www.cbc.ca\/news\/canada\/manitoba\/families-cyberattack-disability-services-9.7223984\">Manitoba ombudsman blasts families department for lack of cybersecurity safeguards after 2024 hack<\/a><\/p>\n<p><a href=\"https:\/\/www.cbc.ca\/news\/canada\/manitoba\/families-cyberattack-disability-services-9.7223984\">https:\/\/www.cbc.ca\/news\/canada\/manitoba\/families-cyberattack-disability-services-9.7223984<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-04 18:02:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cbc.ca\">www.cbc.ca<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. Listen to this articleEstimated 5 minutesThe audio version of this article is generated by AI-based technology. Mispronunciations can occur. We are working with our partners to continually review and improve the results.Manitoba&#8217;s ombudsman is criticizing the province&#8217;s families department for a lack of privacy and security safeguards after the personal information of vulnerable people was accessed in a 2024 cyberattack.The 1,361 people were clients of Manitoba&#8217;s Community Living DisAbility Services, the provincial adult disability services program, the ombudsman wrote in a May 28 report.The compromised information included legal names, addresses, day program details, emergency contacts, social insurance numbers, sources of income, personal health identification numbers and other medical information, the ombudsman says.&#8221;The exposure of these categories of information creates a heightened risk of financial loss, identity theft, and damage to reputation or relationships,&#8221; the report says.The information was accessed through a community-based service provider that detected suspicious activity on its systems on Oct. 8, 2024, the report says. The service provider notified the families department of the suspicious activity the next day.A forensic investigation that month confirmed the unauthorized access and transfer of data, concluding the hacker&#8217;s most likely path of entry was the service provider&#8217;s virtual private network, or VPN, the report says.The source of the cyberattack is not shared in the report. The affected service provider is not named but is identified as a non-profit organization with &#8220;minimal funding available for cybersecurity.&#8221;During the ombudsman&#8217;s investigation, the families department said it provided privacy and security guidance to its service providers in 2022 and again in 2025, but the report says that came in the form of a general privacy awareness presentation.The materials shared in that presentation did not establish &#8220;any minimum cybersecurity standards, technical requirements, or performance expectations&#8221; that the department could assess or enforce compliance with, the report says.The department also had no &#8220;structured mechanism&#8221; to oversee the service provider&#8217;s compliance with its privacy and cybersecurity obligations, which &#8220;limited its ability&#8221; to find security risks, the report says.The ombudsman says the department had the authority and a legal obligation to conduct an audit, inspection or technical review of the service provider&#8217;s security safeguards before the cyberattack but did not.&#8221;This is particularly significant given that the service provider holds highly sensitive [information], including medical records and government-issued unique identifiers of adults living with an intellectual disability.&#8221;Earlier notification neededThe ombudsman says the families department does not have its own internal security baseline, cybersecurity policies or vendor management guidelines.&#8221;It is difficult for an organization that has not established a management security standard for itself to establish or enforce a security standard for its service providers.&#8221;Without such policies, the ombudsman says the families department has &#8220;no framework to conduct due care or due diligence of the service provider&#8217;s obligation&#8221; to protect clients&#8217; personal information.Public bodies in Manitoba are legally required to notify the ombudsman and people affected by a privacy breach as soon as &#8220;practicable after the breach becomes known to the head of the public body, if the breach creates a real risk of significant harm,&#8221; the report says.Manitoba Families Minister Nahanni Fontaine says she accepts the ombudsman&#8217;s recommendations and work is being done to update her department&#8217;s privacy policies. (Bryce Hoye\/CBC)The families department told the ombudsman it provided direct notification to people affected by the cyberattack on Nov. 24, 2024 \u2014 one month after it confirmed the incident posed a risk of significant harm, the report says.Earlier notification could have allowed the people affected to take &#8220;more timely steps&#8221; to protect themselves from any potential consequences of the breach, the ombudsman wrote.The department said its notification was delayed by a month for several reasons, including the ongoing forensic investigation and a Canada Post postal strike, the report says.Although there were challenges to provide direct, written notifications, the ombudsman says the department should have considered making indirect notification through a public announcement on its website or the service provider&#8217;s.The report recommends the department introduce its own &#8220;minimum technical safeguards&#8221; in a policy separate from service purchase agreements, which would allow the department&#8217;s minimum cybersecurity standards to be updated on an ongoing basis.The report also recommends the department develop and enforce a structured framework to manage cybersecurity risks for third-party service providers, and review and update its service purchase agreements to ensure they align with current privacy and cybersecurity expectations.The department should also develop and enforce an audit and oversight process for all third-party service providers that handle personal information, the report says.The families department told the ombudsman in late May that it fully accepted all of the recommendations and would provide an implementation plan within 60 days, the report says.Families Minister Nahanni Fontaine said in a written statement to CBC News that she accepts the ombudsman&#8217;s recommendations and work is already being done to update her department&#8217;s privacy policies.<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Manitoba ombudsman blasts families department for lack of cybersecurity safeguards after 2024 hack https:\/\/www.cbc.ca\/news\/canada\/manitoba\/families-cyberattack-disability-services-9.7223984 Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":226444,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/i.cbc.ca\/ais\/4a513812-b201-4854-8119-1eafd783beb3,1773343639816\/full\/max\/0\/default.jpg?im=Crop%2Crect%3D%280%2C77%2C1000%2C562%29%3BResize%3D620","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,35],"class_list":["post-226443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-hacker"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/226443"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=226443"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/226443\/revisions"}],"predecessor-version":[{"id":226445,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/226443\/revisions\/226445"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/226444"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=226443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=226443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=226443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}