The largest data breach in the history of the Canada Revenue Agency (our version of the IRS) recently occurred here in Vancouver, but you probably didn't hear about it. Why? The CRA decided that you don't need to know.
According to SC Magazine, a tax inspector in Vancouver, British Columbia is accused of looking at hundreds of taxpayers' records in an apparent attempt to drum up business for a operation she was running on the side. She targeted individuals with a high net worth and leveraged the wealth of information she could extract from the CRA's computer systems.
The CRA discovered the breach nearly 2 years ago and upon investigation found 407 social insurance numbers (like Social Security numbers in the US) written on scraps of paper at the inspector's workstation. She had accessed the tax records for most of these accounts, but was not working on cases related to them.
The CRA said it would not be contacting the taxpayers as there was no threat to their tax details. What?? Someone accessed details of my income, job, address and more than enough information to steal my identity, but I don't need to know? I suppose I don't need to worry as I am not a "high net-worth individual," but something about this whole incident stinks.
The good news? Apparently they have strict audit and log controls to know exactly what this woman was up to. Now if only they would use this information to partner with the victims instead of sweeping the incident under the rug, we could celebrate instead of criticize.
If you handle Personally Identifiable Information (PII), the use of encryption and strict auditing is a great one-two punch for prevention and incident response. Sensitive data should always be stored in an encrypted format and only be accessible to parties with a need to know. If, like the CRA, you end up with a bad apple, at least you will know who, how, and when the information was accessed in case you need to step up and face the music. Maybe the CRA could teach the US military a few tricks.
Creative Commons image courtesy of alacleaver_2000's Flickr photostream.