VIQ Solutions, a publicly traded Canadian technology company (TSX: VQS) specializing in digital evidence capture, transcription, and content management for the legal and judicial sectors, has disclosed a security incident involving unauthorized access to sensitive legal records by a subcontractor. The breach highlights the growing risk of supply chain attacks and third-party access management failures.
About VIQ Solutions
Headquartered in Ontario, VIQ Solutions provides technology and services to courts, law enforcement agencies, government bodies, and legal firms across North America and internationally. Their platforms handle highly sensitive content including court proceedings, depositions, police interviews, and other legal recordings that require strict confidentiality protections.
The Incident
VIQ Solutions discovered that a subcontractor engaged for transcription services had accessed legal records beyond the scope of their authorized work. The subcontractor, who had been granted access to specific files for transcription purposes, exploited insufficient access controls to view and download a broader set of sensitive records.
The unauthorized access was detected through anomalous activity alerts in VIQ's access monitoring systems. Investigation revealed that the subcontractor had been accessing files outside their assigned scope for several weeks before detection.
Data at Risk
The sensitive nature of the accessed records makes this breach particularly concerning:
- Court proceeding transcripts and recordings
- Deposition records containing witness testimony
- Law enforcement interview recordings
- Legal case files with privileged information
- Personal information of parties involved in legal proceedings
Unlike typical data breaches involving customer databases, the legal records accessed in this incident carry implications for ongoing court cases, law enforcement investigations, and the privacy of individuals involved in the justice system.
Supply Chain Security Lessons
This incident serves as a stark reminder of the risks associated with third-party and subcontractor access to sensitive systems. Organizations must implement robust third-party risk management programs that include:
- Principle of least privilege: Granting subcontractors access only to the specific files and systems required for their work
- Access monitoring: Real-time monitoring and alerting on access patterns that deviate from expected behaviour
- Regular access reviews: Periodic audits of all third-party access permissions to ensure they remain appropriate
- Contractual controls: Strong contractual provisions governing data access, handling, and penalties for unauthorized use
- Background verification: Thorough vetting of subcontractors and their employees who will access sensitive data
Regulatory Response
The Office of the Privacy Commissioner of Canada has been notified of the breach. Given the involvement of court and law enforcement records, provincial attorneys general and judicial administrators in affected jurisdictions have also been informed. The incident may prompt a review of security standards required for technology vendors serving the Canadian justice system.
Recommendations
Organizations that rely on third-party service providers for sensitive work should conduct a thorough review of their vendor access controls, implement continuous monitoring of privileged access, and ensure that incident response plans specifically address supply chain compromise scenarios. CyberSafe's consulting services can help organizations build and validate their third-party risk management frameworks.