Canadian Voter Information Missing

USB Keys Potentially Expose Information on Millions
Canadian Voter Information Missing

Two unencrypted USB keys carrying copies of information about voters in Ontario, Canada, are missing, potentially exposing information on between 1.4 million and 2.4 million individuals, according to Elections Ontario officials.

See Also: Why Active Directory (AD) Protection Matters

In a statement issued July 17, Chief Electoral Officer Greg Essensa says that the two USB keys contained information on voters in 20 to 25 electoral districts. There are 107 electoral districts in Ontario.

A spokesperson for Elections Ontario says some laptops used by staff were not connected to the organization's network, so the USB drives were used to transfer information among those laptops.

The potentially compromised information includes full name, gender, date of birth, address, as well as administrative codes used solely for election purposes and any other personal information updates provided to Elections Ontario by voters during the last election period, the statement says. Also on the USB keys was information on whether an individual voted in the October 2011 provincial election.

"The information at issue does not include how an individual voted," Essensa adds.

The USB keys didn't include Social Insurance numbers, Ontario Health card information, driver's license information, telephone numbers, e-mail addresses, credit card or banking information.

Essensa says that there's no indication that the information has been inappropriately accessed.

"Elections Ontario personnel did not follow policy regarding two USB keys containing copies of the voter information," Essensa says. The policy includes ensuring keys with personal information are password-protected and encrypted, and that they remain in the custody of Elections Ontario personnel.

At the time of the breach, employees were working on 49 electoral district files to update the Permanent Register of Electors for Ontario. The 20 to 25 districts affected by the breach were included in those 49 districts, a forensics examination determined.

Breach Response

Elections Ontario has notified the affected voters. A call center has also been set up to answer questions.

An internal investigation is under way to determine the circumstances leading to the missing USB keys. "We engaged external counsel, Gowling Lafleur Henderson LLP, to undertake and guide a full investigation, supported by INKSTER Incorporated, a forensic security specialist firm," Essensa explains.

The incident has also been reported to the Ontario Provincial Police. The Information and Privacy Commissioner is aiding Elections Ontario in a review of the organization's privacy policies and procedures.

Starting July 18, a letter will run in newspapers in the affected electoral districts, "to notify [voters] further of this matter and to recommend what care they should exercise," Essensa says. Individuals should monitor for unusual activity regarding transactions with government, banks, utilities and others, he advises.

By the end of the year, Essensa will give a comprehensive report to the Legislative Assembly, which will highlight the outcomes of the investigation.

Further, external experts are assisting in reviews of all policies, processes, procedures and protocols related to privacy, management, protection of voter information, training, management oversight, accountability and audits. Elections Ontario's strategic framework, infrastructure and management policies also will be reviewed.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.