Federal government loses hard drive with information on more than half a million people
January 11th, 2013 - 5:29pm
The Gazette, Posted : January 11, 2013
By Jason Fekete & Tobi Cohen, Postmedia News
OTTAWA — The federal government has called in the RCMP on what could be one of the largest privacy breaches in Canadian history, after losing an unencrypted external hard drive containing the personal information of 583,000 Canada Student Loans borrowers.
The lost hard drive contained sensitive information — including names, social insurance numbers, dates of birth, addresses and loan balances — of more than half a million Canada Student Loans borrowers across the country between 2000-2006.
An employee with Human Resources and Skills Development Canada discovered the hard drive was missing in early November from an office in Gatineau, Quebec, but it took more than two months to investigate internally and ultimately report it publicly to Canadians on Friday.
No banking or medical information was included on the portable external hard drive, which was not approved for use by the federal government. (The file did not contain information of borrowers from Quebec, Nunavut and the Northwest Territories, which manage their own student loan programs).
The information was being used to contact individuals for a survey and was saved onto the external hard drive as a backup storage option, according to federal officials. However, the information was not encrypted — an extra layer of security required by the government — but not followed in this case.
Human Resources Minister Diane Finley has notified the RCMP and federal privacy commissioner of the incident, and is promising stricter new protocols for the security and storage of personal information, following the second privacy breach in a few weeks.
The federal government, however, says it does not have any reason to expect criminal intent with the latest incident, or that the information has been accessed or used for fraudulent purposes. The personal contact information of 250 HRSDC employees was also on the hard drive.
Human Resources and Skills Development Canada discovered the loss of personal information of 583,000 Canada Student Loans borrowers while reviewing a separate incident from late 2012 of a lost USB key that contained the personal information of more than 5,000 Canadians.
“I have expressed my disappointment to departmental officials at this unacceptable and avoidable incident in handling Canadians’ personal information,” Finley said Friday in a news release.
“As a result, I have directed that departmental officials take a number of immediate actions to ensure that such an unnecessary situation does not happen again.”
Employees at HRSDC are no longer permitted to use portable hard drives and unapproved USB keys are not to be connected to the network. The department will also conduct an immediate risk assessment of all portable security devices to ensure “appropriate safeguards” are in place.
All employees will also receive mandatory training regarding the handling of sensitive information, and “disciplinary measures” will be implemented for staff failing to follow protocols — although a spokesperson for the minister wouldn’t say whether the employee in question has been disciplined.
On Nov. 5, the HRSDC employee discovered the external hard drive was missing and began searching for it, but it wasn’t until Nov. 28 that the department security officer was notified.
On Dec. 6, HRSDC discovered that personal information of Canada Student Loans Program clients was on the hard drive. The department then notified the Office of the Privacy Commissioner on Dec. 14.
The incident was ultimately referred to the RCMP on Jan. 7 and details publicly released Friday — more than two months after the federal government first discovered a hard drive was missing.
Alyson Queen, a spokeswoman for the minister, said it took two months to notify Canadians of the privacy breach because it’s a “lengthy and expensive process” to determine exactly what happened and be sure the information was actually lost.
HRSDC says it will attempt to contact all individuals whose information was lost and will send letters to those affected (if the government has current contact information). A toll-free number has been set up for Canadians to call to check if they are affected — 1-866-885-1866 — but the number won’t be operational until Monday.
The RCMP confirmed Friday the matter was referred to the commercial crime section of A Division, the detachment responsible for investigations in the National Capital Region.
Cpl. Lucy Shorey wouldn’t comment on specifics but said the process in a case like this involves evaluating the information provided by the complainant, in this case, HRSDC. The RCMP will conduct interviews to “determine the substance of the allegations,” she said.
“If it is determined that an investigation is not warranted, the RCMP would likely confirm the complainant of its results,” she said.
“If it is determined that an investigation is warranted, one would be initiated but in order to protect the integrity of the investigation, the event evidence, the privacy of those involved, we would not comment during the course of the investigation, and in most cases only in the event of arrest and charges would we provide information to the public.”
Marjolaine Boutin-Sweet, NDP deputy critic on HRSDC matters, said it’s disappointing the government isn’t following its own security protocols when handling sensitive personal information of Canadians.
“That’s too dangerous to let especially that kind of information roam around,” Boutin-Sweet said Friday.
She also can’t understand why it took the government several weeks to notify Canadians of the privacy breach, when most people would want to react immediately to losing, for example, a credit card or social insurance number to help prevent identify theft.
“It would be nice to have a little transparency,” she added. “Even a weekend is too long.”
The Office of the Privacy Commissioner of Canada said Friday it is launching an investigation after being informed by HRSDC that a hard drive was lost.
“The assistant commissioner determined that there are reasonable grounds for a commissioner-initiated complaint against HRSDC to ascertain whether there has been a contravention of the Privacy Act,” the watchdog agency said in a statement hours after the government released details about the breach.
A spokesman for the privacy commissioner said the average investigation takes about seven months and in this case, the commissioner’s role is basically that of ombudsman.
Scott Hutchinson said officials will try to determine what happened. If they conclude a contravention had indeed occurred, a set of recommendations aimed at rectifying the situation may be drafted but Hutchinson noted they’re not binding.
Adam Awad of the Canadian Federation of Students said government officials personally informed his organization of the breach Friday.
He called the loss of unencrypted information “frustrating,” but welcomed the government’s response.
“It seems they are taking this quite seriously,” he said, adding he was pleased to learn both the privacy commissioner and RCMP have been alerted and that new security measures were put in place.
As for how long it took the government to inform Canadians of the breach, he was told that it was only just before the holidays that officials realized how much information was on the lost hard drive and that the response was “adequate given the time of year.”
What the breach really highlights, he said, is the extent to which young people across Canada must go into debt to pay for school.
“It seems indicative of the enormity of the student loan system and how big it’s gotten over the last decade that hundreds of thousands of students rely on student loans to go to school,” he said.
Examples of privacy breaches in Canada:
• Human Resources and Skills Development Canada reported last November that a USB key containing personal information, including the social insurance numbers of about 5,000 Canadians, went missing.
© Copyright (c) Postmedia News
Original source article: Federal government loses hard drive with information on more than half a million people