Canadian farmer personal information on stolen CCGA laptop
Technorati Tag: Security Breach
Date Reported:
6/4/08
Organization:
Government of Canada
Contractor/Consultant/Branch:
Canadian Canola Growers Association (CCGA)
Victims:
Farmers
Number Affected:
~32,000
Types of Data:
"social insurance numbers, bank account numbers and other data"
Breach Description:
"OTTAWA, June 5 (UPI) -- Prairie farmers in Canada are upset the federal government waited two months to tell them a laptop computer containing their personal data was missing."
Reference URL:
Winnipeg Free Press
CBC News
United Press International
Report Credit:
Lindsay Wiebe, Winnipeg Free Press
Response:
From the online sources cited above:
About 32,000 Canadian farmers are on the alert after learning a laptop containing their financial information has been stolen.
The laptop was stolen when a programmer working for the Canadian Canola Growers Association took the machine off-site for routine maintenance.
[Evan] No offense to programmers, but in my experience the ways they use information can be some of the most dangerous threats to information security. There is no reason for a programmer to EVER have access to confidential production information. Programmers should only be permitted to work with scrubbed information in a test and/or development environment.
CCGA general manager Rick White described the theft as a classic "smash and grab."
[Evan] Also classic as in another organization that either does not know how or is unwilling to properly secure confidential information.
The laptop has the bank account numbers and social insurance numbers of farmers who applied for Agriculture Canada's advance payments program, which is administered by the CCGA on behalf of the federal government.
Although the theft happened March 30, Canadians weren't sent letters until last week informing them
The federal department has sent letters out to all farmers affected by the theft.
The letter said the laptop was stolen from an undisclosed, remote location in Manitoba.
"We treat this very seriously," White said. "This is an unfortunate incident, a very low-risk one."
[Evan] Mr. White is probably not well versed in risk analysis. Or incident response for that matter.
the strict security measures being used on the laptop reduce the chances of information being misused, White said.
[Evan] Like what?
"There was a very strong password protection on it, [and] there was a biometric fingerprint reader on it," he said. "That would prohibit anyone other than the user or the person with the password to access the data on the laptop."
[Evan] These are "strict security measures"? My emphatic answer is NO! These "strict security measures" are easily bypassed.
but the data was not encrypted
[Evan] The missing piece of the puzzle. Why go through all of the (self-proclaimed) "strict security measures" and not employ encryption. What you get with full-disk encryption is pre-boot authentication and this defeats the boot to CD attack.
Agriculture Canada spokesman Sean Malone said there were security features on the laptop, but a sophisticated hacker could likely bypass them.
[Evan] No sophistication required. A novice could figure it out with Google, a CD, and 15 minutes.
So far, there have been no reports of identity theft among the farmers, the report said.
Pitblado LLP privacy lawyer Brian Bowman said the CCGA and agriculture department deserve credit for notifying people of the breach -- a move not required by Manitoba law.
[Evan] Just because CCGA is not required by law, doesn't mean that they deserve any credit for notification. The information belongs to the victims not CCGA, and as owners of the information don't you think they should be informed of an incident that has the potential affect them personally?
Victim Reaction:
"If they're devilish enough to steal a computer, maybe they're devilish enough to do something with the information,"
"What frustrates me is that they've treated this like it's no skin off their back,"
"They've known this since then and they're only getting the letters out now?"
"I don't want to find out a mortgage has been taken out on our farm."
Commentary:
It is bad enough for an organization to lose confidential information on a poorly protected laptop, but what makes this more troubling is the apparent fact that they still view the practice that led to the breach as a low risk. Clueless and sad.
Past Breaches:
Government of Canada:
December, 2007 - Passport Canada web site suffers serious breach
November, 2007 - Service Canada stolen laptop affects more than 1,600
Date Reported:6/4/08
Organization:
Government of Canada
Contractor/Consultant/Branch:
Canadian Canola Growers Association (CCGA)
Victims:
Farmers
Number Affected:
~32,000
Types of Data:
"social insurance numbers, bank account numbers and other data"
Breach Description:
"OTTAWA, June 5 (UPI) -- Prairie farmers in Canada are upset the federal government waited two months to tell them a laptop computer containing their personal data was missing."
Reference URL:
Winnipeg Free Press
CBC News
United Press International
Report Credit:
Lindsay Wiebe, Winnipeg Free Press
Response:
From the online sources cited above:
About 32,000 Canadian farmers are on the alert after learning a laptop containing their financial information has been stolen.
The laptop was stolen when a programmer working for the Canadian Canola Growers Association took the machine off-site for routine maintenance.
[Evan] No offense to programmers, but in my experience the ways they use information can be some of the most dangerous threats to information security. There is no reason for a programmer to EVER have access to confidential production information. Programmers should only be permitted to work with scrubbed information in a test and/or development environment.
CCGA general manager Rick White described the theft as a classic "smash and grab."
[Evan] Also classic as in another organization that either does not know how or is unwilling to properly secure confidential information.
The laptop has the bank account numbers and social insurance numbers of farmers who applied for Agriculture Canada's advance payments program, which is administered by the CCGA on behalf of the federal government.
Although the theft happened March 30, Canadians weren't sent letters until last week informing them
The federal department has sent letters out to all farmers affected by the theft.
The letter said the laptop was stolen from an undisclosed, remote location in Manitoba.
"We treat this very seriously," White said. "This is an unfortunate incident, a very low-risk one."
[Evan] Mr. White is probably not well versed in risk analysis. Or incident response for that matter.
the strict security measures being used on the laptop reduce the chances of information being misused, White said.
[Evan] Like what?
"There was a very strong password protection on it, [and] there was a biometric fingerprint reader on it," he said. "That would prohibit anyone other than the user or the person with the password to access the data on the laptop."
[Evan] These are "strict security measures"? My emphatic answer is NO! These "strict security measures" are easily bypassed.
but the data was not encrypted
[Evan] The missing piece of the puzzle. Why go through all of the (self-proclaimed) "strict security measures" and not employ encryption. What you get with full-disk encryption is pre-boot authentication and this defeats the boot to CD attack.
Agriculture Canada spokesman Sean Malone said there were security features on the laptop, but a sophisticated hacker could likely bypass them.
[Evan] No sophistication required. A novice could figure it out with Google, a CD, and 15 minutes.
So far, there have been no reports of identity theft among the farmers, the report said.
Pitblado LLP privacy lawyer Brian Bowman said the CCGA and agriculture department deserve credit for notifying people of the breach -- a move not required by Manitoba law.
[Evan] Just because CCGA is not required by law, doesn't mean that they deserve any credit for notification. The information belongs to the victims not CCGA, and as owners of the information don't you think they should be informed of an incident that has the potential affect them personally?
Victim Reaction:
"If they're devilish enough to steal a computer, maybe they're devilish enough to do something with the information,"
"What frustrates me is that they've treated this like it's no skin off their back,"
"They've known this since then and they're only getting the letters out now?"
"I don't want to find out a mortgage has been taken out on our farm."
Commentary:
It is bad enough for an organization to lose confidential information on a poorly protected laptop, but what makes this more troubling is the apparent fact that they still view the practice that led to the breach as a low risk. Clueless and sad.
Past Breaches:
Government of Canada:
December, 2007 - Passport Canada web site suffers serious breach
November, 2007 - Service Canada stolen laptop affects more than 1,600
Posts Atom 1.0
Winnipeg Free Press reports that a class-action lawsuit has been filed on behalf of farmers.
Story Here: http://www.winnipegfreepress.com/breakingnews/story/4187602p-4777954c.html
Reply to this