The Human Resources and Skills Development department of Canada’s federal public service (HRSDC) has admitted that a veritable treasure trove of Personally Identifiable Information (PII) has gone missing from one of the department’s offices in Quebec.
PII of 250 of the department’s employees and 538,000 Student Loans borrowers has been “lost” on an unencrypted removable hard disk.
Ironically, considering that the glitch happened in Quebec, the missing data excludes borrowers from that province, as well as from Nunavut and the Northwest Territories.
That’s cold comfort, of course, to the 75% of the student borrowing population who are from elsewhere in Canada.
Interestingly, the missing data is historical, from the years 2000 to 2006. In other words, even those students who have already repaid their loans and probably no longer consider themselves customers of HRSDC, and therefore imagine themselves at no risk from an HRSDC data breach, have been affected.
HRSDC reports that “no banking or medical information was included on the portable hard drive,” which is a small mercy. But the missing data does include student names, Social Insurance Numbers (SINs), dates of birth, contact information and loan balances.
SINs, like Social Security Numbers in the USA, are the closest thing to a national ID number that Canada has.
Getting hold of someone’s SIN is clearly a big first step for a cybercriminal.
Indeed, in 2012 the federal government phased out SIN cards, citing identity theft concerns as well as cost.
As the Toronto Globe and Mail pointed out last year:
In light of concerns over identity theft, Mr. Boyd, [Service Canada's Director-General of Service Identity,] said Canadians should be living without [SIN] cards now. "We do not recommend people carry that card with them," he told senators.
The government minister who looks after HRSDC, Diane Finley, has officially expressed her disappointment at what happened here, and vowed some changes:
I have requested that HRSDC employees across Canada receive comprehensive communications on the seriousness of these recent incidents and that they participate in mandatory training on a new security policy to ensure that similar situations do not occur again. Further, I have instructed that the new policy contain disciplinary measures that will be implemented for staff, up to and including termination, should the strict codes of privacy and security not be followed.
Call me a cynic, but I can’t help but notice a touch of “beatings will continue until morale improves” in this comment.
Ms Finley may not mean it that way, but it sounds very much as though you’ll be personally in the firing line if a hard disk is stolen from your desk or your office, whatever else might have happened.
I’m all in favour of employees living up to their responsibilities, but what if your own organisation makes that difficult by not providing an environment in which computer security is easy to do properly?
For example, should it even be possible for you, or any of your colleagues, to make a backup copy of that much data onto a removable drive without encryption?
Encryption, of course, would almost certainly have prevented this problem altogether.
If this sort of risky attitude to data exists in your organistion, would you be considered delinquent in your duty if you were to fail to alert your employer to this risk?
And if someone in your organisation reported a problem like this as a security concern, what would you do?
Would you be happy to ask them simply “to be more careful,” and threaten them with dismissal if they weren’t, or would you take a more holistic view, and try to address the problem by inhibiting the circulation of unencrypted data in the first place?
Want to try Sophos Free Encryption?
• Encrypt confidential data simply and easily.
• Share data securely, even without a common IT infrastructure.
• Ideal for business or private use.
Note: click on the image at left for a registration-free download
(Available for Windows only. Sorry about that.)