Cyber Incident Victim: Sohu, Inc.

The Calgary Urban Project Society (CUPS), a charity based in Calgary, experienced a data breach involving unauthorized access to a staff member’s email account during the fall of 2021. The breach was confirmed by CUPS in communications with Global News, though the exact date of discovery remained unspecified in available reporting. The compromised email account contained sensitive personal information belonging to clients, including former client Michael Friesen. Exposed data types included driver’s license details, bank statements, and rent reports, indicating the breach involved financial and identity documentation. CUPS initiated an investigation upon detecting the intrusion and took steps to secure the affected email account. The organization asserted its response adhered to appropriate protocols, though it did not publicly disclose specific containment measures or forensic findings.

CUPS notified Michael Friesen of the breach via email on May 25, 2022, approximately seven months after the initial compromise. Friesen expressed concern over the delayed notification, questioning why the charity took significant time to alert affected individuals despite the sensitivity of the exposed data. The breach notification did not specify the total number of impacted clients or whether external cybersecurity experts were engaged during the response. CUPS maintained that its actions were proportionate to the incident, though no further details regarding remediation efforts or enhanced security controls were provided. The incident exposed individuals to potential identity theft, financial fraud, and misuse of personal documents due to the nature of the compromised data. Friesen’s case highlighted tensions between organizational incident response timelines and affected parties’ expectations of prompt disclosure.