Canadian Breach: Sorting Out the Cause

Lost Hard Drive Exposed Student Loan Information
Canadian Breach: Sorting Out the Cause

A new report from the Office of the Privacy Commissioner of Canada says gaps in carrying out security policies led to the exposure of 583,000 records last year at Employment and Social Development Canada, which administers student loans. The breach involved an unencrypted portable hard drive that went missing.

See Also: Cyber Insurance Assessment Readiness Checklist

Compromised information included names, social insurance numbers, dates of birth, contact information and loan balances for borrowers who got loans from 2000 to 2006 through the Canada Student Loans program administered by ESDC, which is responsible for developing, managing and delivering social programs and services.

The report from the privacy commissioner cited weaknesses in information management controls and physical security controls at ESDC. The commissioner also cited shortcomings in employee awareness of department policies and procedures.

"This incident should serve as a lesson for all organizations," says Chantal Bernier, interim privacy commissioner. "Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly."

According to the privacy commissioner's investigation, staff of ESDC's Canada Student Loans Program had used a department-owned, 1 terabyte portable hard drive to make a back-up copy of program information stored in the central computer to ensure its preservation when that data was being transferred between networked drives.

Due to the gaps in departmental practices, ESDC couldn't conclusively identify what information was on the portable hard drive or when it had been last updated, the privacy commissioner's report says.

The privacy commissioner has recommended ESDC take the following mitigation steps:

  • Severely restrict the use of portable storage devices and introduce system software that blocks the use of any such devices on desktop computers without specific authorization; all sensitive or personal information stored on portable devices must be protected by strong technological safeguards, including encryption;
  • Periodically examine portable storage devices to ensure they are being used solely for the authorized reasons;
  • Review all material holdings, dispose of transitory records and classify remaining records at the appropriate security level; and
  • Instigate a new integrated learning strategy that focuses on the protection of personal privacy and includes mandatory participation for all employees and mandatory testing every two years.

The privacy commissioner will follow up with ESDC in one year to measure progress that's been made in implementing the recommendations.

View the privacy commissioner's report.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.