Canadian Breach: Sorting Out the CauseLost Hard Drive Exposed Student Loan Information
A new report from the Office of the Privacy Commissioner of Canada says gaps in carrying out security policies led to the exposure of 583,000 records last year at Employment and Social Development Canada, which administers student loans. The breach involved an unencrypted portable hard drive that went missing.
Compromised information included names, social insurance numbers, dates of birth, contact information and loan balances for borrowers who got loans from 2000 to 2006 through the Canada Student Loans program administered by ESDC, which is responsible for developing, managing and delivering social programs and services.
The report from the privacy commissioner cited weaknesses in information management controls and physical security controls at ESDC. The commissioner also cited shortcomings in employee awareness of department policies and procedures.
"This incident should serve as a lesson for all organizations," says Chantal Bernier, interim privacy commissioner. "Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly."
According to the privacy commissioner's investigation, staff of ESDC's Canada Student Loans Program had used a department-owned, 1 terabyte portable hard drive to make a back-up copy of program information stored in the central computer to ensure its preservation when that data was being transferred between networked drives.
Due to the gaps in departmental practices, ESDC couldn't conclusively identify what information was on the portable hard drive or when it had been last updated, the privacy commissioner's report says.
The privacy commissioner has recommended ESDC take the following mitigation steps:
- Severely restrict the use of portable storage devices and introduce system software that blocks the use of any such devices on desktop computers without specific authorization; all sensitive or personal information stored on portable devices must be protected by strong technological safeguards, including encryption;
- Periodically examine portable storage devices to ensure they are being used solely for the authorized reasons;
- Review all material holdings, dispose of transitory records and classify remaining records at the appropriate security level; and
- Instigate a new integrated learning strategy that focuses on the protection of personal privacy and includes mandatory participation for all employees and mandatory testing every two years.
The privacy commissioner will follow up with ESDC in one year to measure progress that's been made in implementing the recommendations.
View the privacy commissioner's report.