The Office of the Privacy Commissioner of Canada had to admit last week that it had, uh, lost an unencrypted hard drive containing the personal data of up to 800 current and former federal employees from as far back as 2002.
“I believe this falls under category of #youhadonejob,” Tweeted Forrester analyst Cheryl McKinnon, who’s based in Ottawa.
“The office lost an unencrypted hard drive containing employee names, official ID numbers, salary information and details on overtime while moving headquarters in mid-February,” wrote Graham Lanktree in the Canadian newspaper The Star. “Those affected are current or former employees of the Office of the Privacy Commissioner and the Office of the Information Commissioner.”
180 current employees have been informed; another 800 former employees remain to be informed. Well, unless they read about it in the newspaper, apparently.
“IT staff first noticed the drive was missing in mid-March when they had trouble setting up their servers after the move from Ottawa to Gatineau, Que., on Feb. 14,” Lanktree wrote. “It wasn’t until April 9 that they realized the drive contained personal information.”
One does wonder. The agency moved in mid-February, didn’t try to set up the servers til mid-March, and it was almost mid-April before it knew what was on the drive? How did the agency move, load up the back of somebody’s Suburban over a weekend?
The other interesting aspect is that the data, which was only supposed to go back seven years, actually dated back to 2002, which is more like 12 years.
The good news, the agency assures staffers, is that the data is in such a raw form that “only someone with the right software and technical expertise can read it,” Lanktree wrote.
You know, somebody like Simson Garfinkel, who used to hang out on eBay buying up discarded hard drives to see what sort of information he could collect. (For research purposes only. He studies this stuff for a living.)
An internal investigation was supposed to return its findings by April 25 — like, maybe, was the thing lost or stolen or what? — but the Star hasn’t done any followup articles and the office has no information on its website yet.
On the other hand, this all transpired a month after the office investigated a loss of a similar hard drive from Employment and Social Development Canada with the personal information of 583,000 student loan recipients.
The official report on that loss is quite hair-raising, noting that “the hard drive was left for periods of time (weeks) without being stored in a locked filing cabinet. Even when stored in the cabinet, the cabinet was not always locked and other employees involved in the data migration project were aware of the location of the keys” and “The access log report for the period of August 2012 — November 2012 revealed that over 200 different employees had access to the CSLP controlled area. ESDC’s review confirmed that all individuals had approved access” and “The information contained on the hard drive was not encrypted and was not protected by a secure password.”
Seriously, though, the investigative report is a thing of bureaucratic beauty, and one can only hope that the agency’s report on its own loss is as thorough. Incidentally, they never found out what happened with the student loan hard drive, either.
That loss “underscores the need to ensure that formal privacy and security policies are more than simply words on paper, an investigation has found,” according to the agency — which apparently needs to take its own words to heart, eh?