BreachExchange mailing list archives
Privacy breach at education ministry has similarities to UVic theft of 2012
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 24 Sep 2015 18:40:51 -0600
http://www.vancouversun.com/opinion/columnists/vaughn+palmer+privacy+breach+education+ministry/11385714/story.html When the education ministry confessed this week to misplacing a massive amount of personal information on students, parents and teachers, the news brought a predictable expression of dismay from the privacy watchdog. “It is deeply concerning to learn about another case of a major privacy breach involving unencrypted data,” said Information and Privacy Commissioner Elizabeth Denham. “Especially troubling, given that the education records on the external hard drive contained the personal information of more than three million students.” Denham ruled out further comment pending the completion of her investigation. But she’s warned government many times to take stronger measures to secure the vast amount of personal information in its custody and one past report of hers in particular suggests where she’s likely to come down in this case. Back in January 2012, thieves broke into the main administrative building at the University of Victoria and made off with a safe containing a digital storage device with social insurance numbers, banking information and other sensitive data on some 12,000 current and former employees. The theft precipitated major concerns about identity theft and outright plundering of bank accounts. The university would eventually spend millions tightening security, monitoring bank accounts and making good on some apparent thefts. But as Denham found in a report issued in spring 2012, the episode was as “unfortunate” as it was “preventable.” The university was storing too much information on current and former employees in one portable device. “It is vital that public bodies limit the amount of personal information stored on mobile electronic devices to the minimum necessary for current operations, frequently review what is being stored and delete unnecessary information.” The data was not protected in any way. “Laptops and other mobile storage devices are, by their very nature, intended to be moved from location to location. However, their portability increases their vulnerability to being stolen or lost. These electronic devices require more extensive security protection, including encryption, when storing personal information on them.” The device itself was not sufficiently secured in a physical sense. “The anchors were not appropriate to prevent the safe being dislodged, and the thieves were able to remove it. The university staff did not make a decision to alarm the premises (despite) the amount of personal information housed there.” Each of the foregoing concerns is at play in the breach involving the ministry of education. The personal information on the missing storage drive spanned decades and covered everything from course grades to medical problems to child custody arrangements. None of it was encrypted. And the drive itself was idly stored in a warehouse in such a way that it is nowhere to be found. Another possible concern involves an apparent delay in notification. The privacy commissioner was promptly advised of the UVic theft the day after it was discovered. Whereas the education minister began a systematic search for the drive on Aug. 28, but Denham wasn’t advised it was missing until this past Friday, after the passage of three weeks. She’s long pressed for legislation to require prompt and mandatory reporting to her office of all data breaches. This may well provide an opportunity for her to renew the call. In announcing the breach Tuesday, cabinet minister Amrik Virk, whose bailiwick includes responsibility for privacy protection, tried to reassure the public that the risk of an actual breach of privacy is “low” and went on to characterize what happened as “a mistake.” But the government can only guess at the risk of a breach because it doesn’t know the whereabouts of the drive. Nor can the failure to encrypt the data and store it properly be minimized as “mistakes.” For as Denham emphasized in reporting on similar lapses in the UVic case, privacy legislation imposes a specific and serious obligation on government: “A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.” Or as the privacy watchdog herself defines the obligation: “To meet the reasonableness standard for security arrangements, public bodies must ensure that they have appropriate administrative, physical and technical safeguards. The measure of adequacy for these safeguards varies depending on the sensitivity of the personal information, the medium and format of the records, how the costs of security are estimated, the relationship between the public body and the affected individuals and how valuable the information might appear to someone intending to misuse it.” Turning to what she regarded as the “critical message” from the UVic episode, Denham underscored how the failure to take all reasonable methods to protect privacy had harmed the employees as well as the reputation of the institution itself. “A privacy breach of this magnitude has a significant negative impact on the many individuals affected,” she wrote. “Affected individuals are concerned with the potential for bank fraud and identity theft; the trust they have placed in the organization to properly secure their personal information has been damaged.” In short, what happened at UVic was a breach of privacy, of public trust, and of obligations under the law. I’ll be surprised if the commissioner doesn’t reach a similar conclusion regarding the ministry of education.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Privacy breach at education ministry has similarities to UVic theft of 2012 Audrey McNeil (Sep 25)