Yottabytes: Storage and Disaster Recovery

Apr 27 2014   9:30PM GMT

‘You Had One Job’: Canadian Privacy Agency Loses Employee Personal Data

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

The Office of the Privacy Commissioner of Canada had to admit last week that it had, uh, lost an unencrypted hard drive containing the personal data of up to 800 current and former federal employees from as far back as 2002.

Oops.

I believe this falls under category of #youhadonejob,” Tweeted Forrester analyst Cheryl McKinnon, who’s based in Ottawa. 

“The office lost an unencrypted hard drive containing employee names, official ID numbers, salary information and details on overtime while moving headquarters in mid-February,” wrote Graham Lanktree in the Canadian newspaper The Star. “Those affected are current or former employees of the Office of the Privacy Commissioner and the Office of the Information Commissioner.”

180 current employees have been informed; another 800 former employees remain to be informed. Well, unless they read about it in the newspaper, apparently.

“IT staff first noticed the drive was missing in mid-March when they had trouble setting up their servers after the move from Ottawa to Gatineau, Que., on Feb. 14,” Lanktree wrote. “It wasn’t until April 9 that they realized the drive contained personal information.”

One does wonder. The agency moved in mid-February, didn’t try to set up the servers til mid-March, and it was almost mid-April before it knew what was on the drive? How did the agency move, load up the back of somebody’s Suburban over a weekend?

The other interesting aspect is that the data, which was only supposed to go back seven years, actually dated back to 2002, which is more like 12 years.

The good news, the agency assures staffers, is that the data is in such a raw form that “only someone with the right software and technical expertise can read it,” Lanktree wrote.

You know, somebody like Simson Garfinkel, who used to hang out on eBay buying up discarded hard drives to see what sort of information he could collect. (For research purposes only. He studies this stuff for a living.)

An internal investigation was supposed to return its findings by April 25 — like, maybe, was the thing lost or stolen or what? — but the Star hasn’t done any followup articles and the office has no information on its website yet.

U.S. government agencies and medical centers and other private companies have had a problem with this kind of thing, but typically one likes to think better of Canadians.

On the other hand, this all transpired a month after the office investigated a loss of a similar hard drive from Employment and Social Development Canada with the personal information of 583,000 student loan recipients. 

The official report on that loss is quite hair-raising, noting that “the hard drive was left for periods of time (weeks) without being stored in a locked filing cabinet. Even when stored in the cabinet, the cabinet was not always locked and other employees involved in the data migration project were aware of the location of the keys” and “The access log report for the period of August 2012 — November 2012 revealed that over 200 different employees had access to the CSLP controlled area. ESDC’s review confirmed that all individuals had approved access” and “The information contained on the hard drive was not encrypted and was not protected by a secure password.”

Seriously, though, the investigative report is a thing of bureaucratic beauty, and one can only hope that the agency’s report on its own loss is as thorough. Incidentally, they never found out what happened with the student loan hard drive, either.

That loss “underscores the need to ensure that formal privacy and security policies are more than simply words on paper, an investigation has found,” according to the agency — which apparently needs to take its own words to heart, eh?

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • NicoleWH
    Quite spectacular - human error happens, but the follow-up, or lack thereof, is quite astounding. Security is paramount for all businesses and organisations, yet more often than not it seems to be government departments that are guilty of this, here across the pond as well! Good call from McKinnon. It's harder to trust in developing technologies such as cloud storage when traditional storage options prove fundamentally unsecure! One of our key considerations for investment management software at Digiterre is security. As the data privacy debate continues, it's a crucial issue.
    60 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: