Tax information exposed in trash
Technorati Tag: Security Breach
Date Reported:
4/6/08
Organization:
Peter Roberts, FCA
CORRECTION - Peter R. G. Roberts
Contractor/Consultant/Branch:
None
Victims:
Clients
Number Affected:
"dozens"
Types of Data:
"names, addresses, tax information, business transactions, and social insurance numbers"
Breach Description:
"The private information of dozens of British Columbians was unearthed from a dumpster in downtown Vancouver and turned over to CTV News over the weekend."
Reference URL:
CTV News
Report Credit:
David Kincaid and Jina You, CTV British Columbia
Response:
From the online source cited above:
The private information of dozens of British Columbians was unearthed from a dumpster in downtown Vancouver and turned over to CTV News over the weekend.
Documents containing names, addresses, tax information, business transactions, and social insurance numbers from several firms in a Howe Street office building were visible by someone having a cigarette in the alley.
[Evan] Not just one firm, but "several firms"!
Many of the documents -- marked with phrases such as "personal and confidential" -- come from the office of Peter Roberts, a well-known accountant.
CORRECTION - [Evan] Mr. Roberts is a director of the Canadian Institute of Chartered Accountant's (CICA) Risk Management and Governance Board. He has set a very poor example in risk management and governance.
When reached by phone, Roberts said that he put a bag full of the documents in the dumpster on Saturday.
He said he doesn't own a shredder and believed the documents would be safe because the dumpster is secured by a padlock.
[Evan] Not owning a shredder is an absurd excuse. Heck, you can buy a paper shredder for less than a hundred bucks!
But to Vancouver's large and innovative homeless population, a lock isn't much of a safeguard.
"Guys will bend ... the lids or use rocks to pry them open," said one binner to CTV News.
"I watched a guy cut a lock off a bin with bolt cutters and he took 35 cents out of the bin, but the lock cost $19.95," he said.
"Businesses need to know it's not something they should know, it's a legislated requirement that they know," said Valerie MacLean the executive director of the BCCPA. "They have to protect their clients and employees information."
The penalties for breaking the law on protecting privacy can be stiff: individuals face a maximum $10,000 fine, and companies can be fined as much as $100,000.
[Evan] A fine of up to $10,000, loss of customer confidence, bad press, etc., or invest in a $100 paper shredder. Risk management?
Among the documents found this weekend are:
Many of the documents appeared to be drafts or copies for records, and as such did not contain signatures. A few of the pages were hand-shredded, but for the most part the documents were intact.
One of the pages was a letter from Roberts addressed to the Institute of Chartered Accountants of B.C., which describes itself on its website as a group that fosters public confidence in the profession of chartered accountants.
Victim Reaction:
"Oh my gosh," said one of Roberts' clients, David Weinberg, whose name was on several files
[Evan] I wonder if this quote may have been edited for public consumption. I wonder if my reaction would be as politically correct.
"I'll have him either return this to me or assure me that he will be changing his privacy practices going forward to assure that not just this but all of his clients' documents are properly shredded."
Commentary:
Many companies turn to accountants (and accounting firms) for guidance on "IT Audit, Governance & Security", and I question how valuable this guidance is sometimes. I don't want to discount the information security guidance given by all accountants because to do so would be unfair. I have seen many cases where an organization has put too much credence in the guidance of unqualified accounting firms. On the other hand, I have seen some impressive guidance too. I guess I wouldn't call an information security professional to audit my books or do my taxes, so I don't think I would call an accountant to audit my information security.
Past Breaches:
Unknown
Date Reported:4/6/08
Organization:
Peter Roberts, FCA
CORRECTION - Peter R. G. Roberts
Contractor/Consultant/Branch:
None
Victims:
Clients
Number Affected:
"dozens"
Types of Data:
"names, addresses, tax information, business transactions, and social insurance numbers"
Breach Description:
"The private information of dozens of British Columbians was unearthed from a dumpster in downtown Vancouver and turned over to CTV News over the weekend."
Reference URL:
CTV News
Report Credit:
David Kincaid and Jina You, CTV British Columbia
Response:
From the online source cited above:
The private information of dozens of British Columbians was unearthed from a dumpster in downtown Vancouver and turned over to CTV News over the weekend.
Documents containing names, addresses, tax information, business transactions, and social insurance numbers from several firms in a Howe Street office building were visible by someone having a cigarette in the alley.
[Evan] Not just one firm, but "several firms"!
Many of the documents -- marked with phrases such as "personal and confidential" -- come from the office of Peter Roberts, a well-known accountant.
CORRECTION - [Evan] Mr. Roberts is a director of the Canadian Institute of Chartered Accountant's (CICA) Risk Management and Governance Board. He has set a very poor example in risk management and governance.
When reached by phone, Roberts said that he put a bag full of the documents in the dumpster on Saturday.
He said he doesn't own a shredder and believed the documents would be safe because the dumpster is secured by a padlock.
[Evan] Not owning a shredder is an absurd excuse. Heck, you can buy a paper shredder for less than a hundred bucks!
But to Vancouver's large and innovative homeless population, a lock isn't much of a safeguard.
"Guys will bend ... the lids or use rocks to pry them open," said one binner to CTV News.
"I watched a guy cut a lock off a bin with bolt cutters and he took 35 cents out of the bin, but the lock cost $19.95," he said.
"Businesses need to know it's not something they should know, it's a legislated requirement that they know," said Valerie MacLean the executive director of the BCCPA. "They have to protect their clients and employees information."
The penalties for breaking the law on protecting privacy can be stiff: individuals face a maximum $10,000 fine, and companies can be fined as much as $100,000.
[Evan] A fine of up to $10,000, loss of customer confidence, bad press, etc., or invest in a $100 paper shredder. Risk management?
Among the documents found this weekend are:
- Federal T1 tax return forms from 2003 to 2008, including names, financial details, addresses, and social insurance numbers
- Federal T1013E forms, which contain names, addresses, social insurance numbers, and telephone numbers
- Property sales, which include names, addresses, prices paid for the property, and balance owing to solicitors in the deal
- Consent forms, which include names, addresses and phone numbers
- Statements of investment income, which include financial details.
- Draft statement of account, including names, addresses, and a detailed breakdown of expenses
Many of the documents appeared to be drafts or copies for records, and as such did not contain signatures. A few of the pages were hand-shredded, but for the most part the documents were intact.
One of the pages was a letter from Roberts addressed to the Institute of Chartered Accountants of B.C., which describes itself on its website as a group that fosters public confidence in the profession of chartered accountants.
Victim Reaction:
"Oh my gosh," said one of Roberts' clients, David Weinberg, whose name was on several files
[Evan] I wonder if this quote may have been edited for public consumption. I wonder if my reaction would be as politically correct.
"I'll have him either return this to me or assure me that he will be changing his privacy practices going forward to assure that not just this but all of his clients' documents are properly shredded."
Commentary:
Many companies turn to accountants (and accounting firms) for guidance on "IT Audit, Governance & Security", and I question how valuable this guidance is sometimes. I don't want to discount the information security guidance given by all accountants because to do so would be unfair. I have seen many cases where an organization has put too much credence in the guidance of unqualified accounting firms. On the other hand, I have seen some impressive guidance too. I guess I wouldn't call an information security professional to audit my books or do my taxes, so I don't think I would call an accountant to audit my information security.
Past Breaches:
Unknown
Posts Atom 1.0
Comments