Sophos Cloud Optix
The Human Resources and Skills Development department of Canada’s federal public service (HRSDC) has admitted that a veritable treasure trove of Personally Identifiable Information (PII) has gone missing from one of the department’s offices in Quebec.
PII of 250 of the department’s employees and 538,000 Student Loans borrowers has been “lost” on an unencrypted removable hard disk.
Ironically, considering that the glitch happened in Quebec, the missing data excludes borrowers from that province, as well as from Nunavut and the Northwest Territories.
That’s cold comfort, of course, to the 75% of the student borrowing population who are from elsewhere in Canada.
Interestingly, the missing data is historical, from the years 2000 to 2006. In other words, even those students who have already repaid their loans and probably no longer consider themselves customers of HRSDC, and therefore imagine themselves at no risk from an HRSDC data breach, have been affected.
HRSDC reports that “no banking or medical information was included on the portable hard drive,” which is a small mercy. But the missing data does include student names, Social Insurance Numbers (SINs), dates of birth, contact information and loan balances.
SINs, like Social Security Numbers in the USA, are the closest thing to a national ID number that Canada has.
Getting hold of someone’s SIN is clearly a big first step for a cybercriminal.
Indeed, in 2012 the federal government phased out SIN cards, citing identity theft concerns as well as cost.
As the Toronto Globe and Mail pointed out last year:
In light of concerns over identity theft, Mr. Boyd, [Service Canada's Director-General of Service Identity,] said Canadians should be living without [SIN] cards now. "We do not recommend people carry that card with them," he told senators.
The government minister who looks after HRSDC, Diane Finley, has officially expressed her disappointment at what happened here, and vowed some changes:
I have requested that HRSDC employees across Canada receive comprehensive communications on the seriousness of these recent incidents and that they participate in mandatory training on a new security policy to ensure that similar situations do not occur again. Further, I have instructed that the new policy contain disciplinary measures that will be implemented for staff, up to and including termination, should the strict codes of privacy and security not be followed.
Call me a cynic, but I can’t help but notice a touch of “beatings will continue until morale improves” in this comment.
Ms Finley may not mean it that way, but it sounds very much as though you’ll be personally in the firing line if a hard disk is stolen from your desk or your office, whatever else might have happened.
I’m all in favour of employees living up to their responsibilities, but what if your own organisation makes that difficult by not providing an environment in which computer security is easy to do properly?
For example, should it even be possible for you, or any of your colleagues, to make a backup copy of that much data onto a removable drive without encryption?
Encryption, of course, would almost certainly have prevented this problem altogether.
If this sort of risky attitude to data exists in your organistion, would you be considered delinquent in your duty if you were to fail to alert your employer to this risk?
And if someone in your organisation reported a problem like this as a security concern, what would you do?
Would you be happy to ask them simply “to be more careful,” and threaten them with dismissal if they weren’t, or would you take a more holistic view, and try to address the problem by inhibiting the circulation of unencrypted data in the first place?
Want to try Sophos Free Encryption?
• Encrypt confidential data simply and easily.
• Share data securely, even without a common IT infrastructure.
• Ideal for business or private use.
Note: click on the image at left for a registration-free download
(Available for Windows only. Sorry about that.)
Gee willickers, I’m not a large organization, and yet, have the good sense to encrypt my personal data. It is truly amazing how some people and companies who handle large amounts of sensitive data have seemingly little respect for it. If anything they have little awareness of the times we live in.
Wouldn't the encryption slow such massive amounts of data to uselessness? Why not track it? They have no idea what is coming in or out.
While it's true that an encrypted drive could have prevented this, the bigger question is: why was this data allowed on a portable device in the first place? Stronger policies and monitoring of not only who has access to this information but where the information can be stored could have been a better preventative measure to avert such a breach of personal information.
Ms. Finley might feel better now that she has announced her "heads will roll…" policy, but if she's going to point the accusing finger, she should stand in front of a mirror.
What's the difference between organizations that have massive data breaches of the kind reported here and those that don't? Is it luck? Or is it because those that don't have such breaches already have sensible policies in place that minimize the risk of such things happening?
Such policies start from the top down. The higher-ups can roll all the heads they want, but it's nothing more than "deflection technology" — deflecting the blame away from those who failed in their responsibility to manage security properly in the first place. THEY'RE the ones whose heads should roll.
As Napoleon is supposed to have said: There are are no bad soldiers, only bad officers.
I was affected by this..
I'm gonna sue the pants off these irresponsible idiots!
There is a class action lawsuit being laid by a lawyer in Newfoundland… Bob Buckingham. I am affected by this breach as well, and I submitted a statement online to this lawyer. We, who are affected, need to call our financial institutions, credit report agencies, etc., to have our identities and credit monitored… This costs time and money. We need to be compensated for this. Keep track of your time and money spent on dealing with this breach issue, and let your lawyer know any physical or emotional effects this process is having on you (i.e. sleeplessness, tiredness, can't perform adequately at work due to lack of sleep). Keep track of every call you make to HRSDC, or other govermental agencies regarding this matter. I myself have encountered a few issues already in regards to trying to place a fraud alert on my credit report. This is going to be a long, slow, tedious process. But start the process ASAP if you want to get the ball rolling for your lawyer.
Hello, I was also affected by this. I called today and they confirmed this however I am from Ontario. Would I still be able to contact that lawyer since he is in Newfoundland?
Thanks
do they do backup at least ? it's a shame on a federal agency to fail on protecting sensitive data !!!
we all need new social security numbers
This is the *second* breach of privacy through the loss of data by HRSDC. A few months ago, a USB stick with 5,000 personal records was lost.
The Canadian student loans program does not operate in Quebec where post-secondary education is greatly subsidized, thus the 583,000 borrowers represent 100%, not 75% of the "student borrowing population" in Canada.
Inexcusible that this data was not encrypted and whomever approved etc such a course of action without safeguards should be terminated.
What I am most worried about is where will government/HRDSC be when someone uses my identity which they got from this hardrive, only its 2 years or 5 years from now and destroys my credit or worse commits crimes using my identification. Get pulled over for a blown taillight and get cuffed and off to booking for outstanding warrants?
Try figuring out how you prove it was HRDSC fault and not something you did, not much of a stretch to 100% belive they will instantly use the fact that we cant prove it came from their mistake and so there you are left dangling on the hook all by yourself.
As in most organizations, people don't want to be bothered with the hassles of taking extra time to do things right (like ensuring a drive is encrypted). The Federal government security policies require all removable data storage devices to be encrypted. I'm not saying that someone intentionally disobeyed the rules but there are certainly many times when people are pressured to do things quickly or to skip simple security steps for the sake of a faster turn around. This happens all the time in every organization it just doesn't make the news every day.
The upside to this incident is that it is a very good example of what can go wrong when you don't follow the security policies. So the next time your IT Security person gives you a hard time or delays your project because you aren't following the policies this is exactly why!
It's not even going as far as the encryption… They need to know where their data and devices are. Tapes and disks are moved in and out of the data warehouses everyday and these large corporations are doing nothing to keep track of where their data is at all times.
It would not have happened if the data was well-protected. I know that part of our tax money go on such thing as security. So here is a good question: does it really go there at all? I have strong doubts now. So many personal profiles can have very disturbing financial consequences for the borrowers. I have many times turned to cash borrowing services which do not require faxing and guess what, everything was ok over there
this is crazy how come we dont hear about this kind of stuff in the States. The biggest thing that has happened here is when Apple supposedly got hacked and a lot of users lost their payment information to internet thieves. Does the people in charge of handling this disaster have any type of physical records for these students? Do these records include student debt information and thats why they tried to delete it?…crazy