Service Canada stolen laptop affects more than 1,600
Technorati Tag: Security Breach
Date Reported:
11/16/07
Organization:
Government of Canada
Contractor/Consultant/Branch:
Service Canada
Victims:
Old Age Security (OAS) clients
Number Affected:
1,623*
*1,192 Old Age Security clients AND 431 spouses.
Types of Data:
Names, addresses, birth dates, social insurance numbers, mother's maiden names, monthly payment amounts, and bank information for direct deposits (routing and account numbers).
Breach Description:
A laptop used by a Service Canada employee containing sensitive personal information about Old Age Security (OAS) clients was stolen at Thanksgiving. An arrest has been made in the theft, but the computer is still missing.
Reference URL:
The Guardian Story
CBC News Story
Report Credit:
CBC News
Response:
From the sources cited above:
Canada's privacy commissioner is investigating after thieves stole a federal government laptop from a public servant's home in Gatineau, Que., putting more than 1,600 people, mainly Atlantic Canadians, at risk of identity fraud.
[Comfyllama] Another stolen laptop containing confidential information without encryption. Although this story is all too common, I hope people are not getting complacent.
The computer contained information relating to 1,192 Old Age Security recipients plus 431 spouses
The computer also contained 'limited' information about some Service Canada and Human Resources and Social Development Canada employees
The information included names, addresses, birth dates, social insurance numbers, mothers' maiden names, monthly payment amounts and bank information for direct deposits
The information was protected by two passwords, but not encrypted.
[Comfyllama] There really isn't a need to even mention password protection because its an oxymoron.
police have arrested and charged a suspect, but the laptop is still missing.
An internal investigation is taking place.
"If you had 1,000 drivers licenses, would you leave them in the back of your car or in your trunk? You wouldn't. But people won't stop to think about that when they leave a laptop in their car or in a store and then it's stolen." - Colin McKay, spokesman for the Privacy Commissioner's office
[Comfyllama] I can almost sense the frustration in the comments from the Privacy Commission's statements regarding this and past breaches occurring in Canada.
Service Canada told (Rose) MacDonald the risk of having her identity stolen was low.
[Comfyllama] What type of risk analysis was used to draw this conclusion? Certainly, I would assume that the value of the data in combination with the ease of which to access it, would raise the risk.
The Privacy Commission is taking the issue very seriously, McKay said.
He said the commission is getting full co-operation from Service Canada in its investigation. The commission wants more encryption on employee laptops so personal information can't be accessed.
[Comfyllama] Absolutely! Encrypt, encrypt, encrypt, but also follow best practices in terms of key management.
Rivard (Martin Rivard, spokesperson for Service Canada) encouraged those clients to take precautionary measures: to verify bank account, credit card and other financial statements and report anything suspicious to the relevant financial institutions; report any disruptions in mail; and contact a credit bureau for a credit report.
[Comfyllama] People should be doing this regularly anyway, so what new advice is this?
Those wanting more information can call Service Canada at 1-.
Victim Reactions:
Rose MacDonald of O'Leary, P.E.I., was shocked to receive a letter from Service Canada earlier this week telling her that her information was on a laptop that was stolen from one of its employees.
"I asked if the building had been broken into, and he said no, an employee brought the computer home," MacDonald said.
"I said, 'You mean to tell me a Government of Canada employee brought a computer out of a Government of Canada building?' And he said, 'Well, she wasn't supposed to.' "
"I feel very threatened that my personal information could leave that building," MacDonald said. "They say the risk is low, but to me, any risk at all is too much."
"Even if the computer is recovered, it doesn't mean the information isn't out there somewhere. So I guess I can never relax about this," she said.
[Comfyllama] This older lady appears to know more about information security than the officials at Service Canada! She makes a very valid point.
"Wouldn't you be worried?", Jean Cornish
"The bank number's there. Why couldn't they get into it?" Jean asked.
Commentary:
Canada, like most governments, creates, collects, and stores some of the most sensitive personal information available. I am a little less understanding of a government that "falls asleep at the wheel" and does not take the proper data security precautions. Falling asleep (for many months) is the only way you can deny that you didn't know that sensitive data at rest needs encryption. In the CBC News story, there are indications that taking sensitive government data home is prohibited, but who can be sure that this is a policy that is widely communicated or followed.
The problems I have with this breach are numerous, but to mention just a couple;
Unknown
Date Reported:11/16/07
Organization:
Government of Canada
Contractor/Consultant/Branch:
Service Canada
Victims:
Old Age Security (OAS) clients
Number Affected:
1,623*
*1,192 Old Age Security clients AND 431 spouses.
Types of Data:
Names, addresses, birth dates, social insurance numbers, mother's maiden names, monthly payment amounts, and bank information for direct deposits (routing and account numbers).
Breach Description:
A laptop used by a Service Canada employee containing sensitive personal information about Old Age Security (OAS) clients was stolen at Thanksgiving. An arrest has been made in the theft, but the computer is still missing.
Reference URL:
The Guardian Story
CBC News Story
Report Credit:
CBC News
Response:
From the sources cited above:
Canada's privacy commissioner is investigating after thieves stole a federal government laptop from a public servant's home in Gatineau, Que., putting more than 1,600 people, mainly Atlantic Canadians, at risk of identity fraud.
[Comfyllama] Another stolen laptop containing confidential information without encryption. Although this story is all too common, I hope people are not getting complacent.
The computer contained information relating to 1,192 Old Age Security recipients plus 431 spouses
The computer also contained 'limited' information about some Service Canada and Human Resources and Social Development Canada employees
The information included names, addresses, birth dates, social insurance numbers, mothers' maiden names, monthly payment amounts and bank information for direct deposits
The information was protected by two passwords, but not encrypted.
[Comfyllama] There really isn't a need to even mention password protection because its an oxymoron.
police have arrested and charged a suspect, but the laptop is still missing.
An internal investigation is taking place.
"If you had 1,000 drivers licenses, would you leave them in the back of your car or in your trunk? You wouldn't. But people won't stop to think about that when they leave a laptop in their car or in a store and then it's stolen." - Colin McKay, spokesman for the Privacy Commissioner's office
[Comfyllama] I can almost sense the frustration in the comments from the Privacy Commission's statements regarding this and past breaches occurring in Canada.
Service Canada told (Rose) MacDonald the risk of having her identity stolen was low.
[Comfyllama] What type of risk analysis was used to draw this conclusion? Certainly, I would assume that the value of the data in combination with the ease of which to access it, would raise the risk.
The Privacy Commission is taking the issue very seriously, McKay said.
He said the commission is getting full co-operation from Service Canada in its investigation. The commission wants more encryption on employee laptops so personal information can't be accessed.
[Comfyllama] Absolutely! Encrypt, encrypt, encrypt, but also follow best practices in terms of key management.
Rivard (Martin Rivard, spokesperson for Service Canada) encouraged those clients to take precautionary measures: to verify bank account, credit card and other financial statements and report anything suspicious to the relevant financial institutions; report any disruptions in mail; and contact a credit bureau for a credit report.
[Comfyllama] People should be doing this regularly anyway, so what new advice is this?
Those wanting more information can call Service Canada at 1-.
Victim Reactions:
Rose MacDonald of O'Leary, P.E.I., was shocked to receive a letter from Service Canada earlier this week telling her that her information was on a laptop that was stolen from one of its employees.
"I asked if the building had been broken into, and he said no, an employee brought the computer home," MacDonald said.
"I said, 'You mean to tell me a Government of Canada employee brought a computer out of a Government of Canada building?' And he said, 'Well, she wasn't supposed to.' "
"I feel very threatened that my personal information could leave that building," MacDonald said. "They say the risk is low, but to me, any risk at all is too much."
"Even if the computer is recovered, it doesn't mean the information isn't out there somewhere. So I guess I can never relax about this," she said.
[Comfyllama] This older lady appears to know more about information security than the officials at Service Canada! She makes a very valid point.
"Wouldn't you be worried?", Jean Cornish
"The bank number's there. Why couldn't they get into it?" Jean asked.
Commentary:
Canada, like most governments, creates, collects, and stores some of the most sensitive personal information available. I am a little less understanding of a government that "falls asleep at the wheel" and does not take the proper data security precautions. Falling asleep (for many months) is the only way you can deny that you didn't know that sensitive data at rest needs encryption. In the CBC News story, there are indications that taking sensitive government data home is prohibited, but who can be sure that this is a policy that is widely communicated or followed.
The problems I have with this breach are numerous, but to mention just a couple;
- Sensitive information should not be stored on mobile media (laptops, flash drives, CDs, etc.) unless it is absolutely necessary
- If it is absolutely necessary to store sensitive information on mobile media, it MUST be encrypted and key management MUST be sound
Unknown
Posted by Evan Francen at 11/26/2007 10:25 AM 
Categories: Government of Canada, Service Canada, Stolen Laptop
Categories: Government of Canada, Service Canada, Stolen Laptop
Posts Atom 1.0
Comments