Service Canada employee loses flash drive
Technorati Tag: Security Breach
Date Reported:
6/27/08
Organization:
Government of Canada
Contractor/Consultant/Branch:
Service Canada
Victims:
Canadian Residents
Number Affected:
More than 1,500
Types of Data:
Name and Social Insurance Number
Breach Description:
"Service Canada recently sent a letter to 1500 individuals that where affected by a recent incident. It seems that a USB key, containing the names and social security number of 1500 canadians was lost."
Reference URL:
NowPublic
Radio-Canada (French)
Report Credit:
Radio-Canada, via an email from an informed Breach Blog reader
Response:
From the online sources cited above:
An Employee Service Canada has lost in March, a USB stick containing personal information on more than 1,500 Canadians.
[Evan] This statement was translated from french. An employee of Service Canada lost a flash drive with confidential personal information belonging to more than 1,500 Canadians stored on it. Service Canada is responsible for the security of some very sensitive personal information belonging to thousands (maybe millions) of Canadians. As such, the people that are permitted to access (assuming that role-based access control is enforced at Service Canada) confidential information must be properly trained and made constantly aware of the risks involved with creating, accessing, storing, destroying, and transferring this information. Was this employee aware of the risk of using a flash drive to store this information? If so, then there should be consequences for his/her actions. If not, then Service Canada really needs some help. Training and awareness is only a part of an effective information security program, but it is a very important one. Are flash drives permitted for use at Service Canada? They probably shouldn't be.
The agency sent a letter to the persons concerned to advise them of the situation and asking them to check their bank accounts, their credit file and expenditure on their card.
Among the information contained in the key, were found including the names of persons and their number of social insurance.
One of the victims wanted to know why Canada Service data contained on the key, a minidisk drive, were not protected. "They said they did not want to invest to secure customer data," said Queen Fraser.
[Evan] Obviously, this is an unacceptable response and probably one that wasn't authorized.
There are a few problems with this statement of course... First and foremost, Service Canada employees need training in Security incident management and, in particular, in the important aspect of security incident communications.
[Evan] Among many other things, I'm sure.
Second, this means that they are either not aware of Governement of Canada security policies or Privacy policies as published by Treasury Bord [sic] Secretariat, or they do not care.
The government agency has opened an investigation and added that no identity theft had been reported.
It did not specify whether measures have been taken to avoid another incident.
[Evan] We can only imagine what the current state of information security is at Service Canada. It may be worse than some of us think, and it may be better than others of us think. In my opinion, Service Canada owes a thorough explanation to the victims of this breach and owes detailed assurances to Canadian citizens.
As anyone with some knowledge of IT security practices can tell you, USB keys should not be used to carry delicate, protected or private information.
[Evan] In general, I agree.
If it must be done then, at a minimum, a threat and risk assessment must be done and proper encryption of the data must be used.
[Evan] I absolutely agree. Risk management is critical.
However, mosts organisations that deal with data that is sensitive, protected under privacy laws, such as PIPEDA, commercial trade secrets or of national interest (such as National Defence secrets) AND are serious about IT security would disable floppy disk drives and USB ports on most computers.
[Evan] Most "organisations" should, but unfortunately most do not.
Commentary:
I would like to think that this is an isolated incident at Service Canada, but I don't think that it actually is. I would like to see the Privacy Commissioner of Canada investigate and audit the security program and practices at Service Canada. We'll see if this happens. I don't expect things to change until the people responsible are held responsible.
How does the Canadian government expect the private sector to provide adequate security measures for the protection of personal information if it does not follow best practices and the law itself?
Past Breaches:
Government of Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600
December, 2007 - Passport Canada web site suffers serious breach
June, 2008 - Canadian farmer personal information on stolen CCGA laptop
Service Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600
Date Reported:6/27/08
Organization:
Government of Canada
Contractor/Consultant/Branch:
Service Canada
Victims:
Canadian Residents
Number Affected:
More than 1,500
Types of Data:
Name and Social Insurance Number
Breach Description:
"Service Canada recently sent a letter to 1500 individuals that where affected by a recent incident. It seems that a USB key, containing the names and social security number of 1500 canadians was lost."
Reference URL:
NowPublic
Radio-Canada (French)
Report Credit:
Radio-Canada, via an email from an informed Breach Blog reader
Response:
From the online sources cited above:
An Employee Service Canada has lost in March, a USB stick containing personal information on more than 1,500 Canadians.
[Evan] This statement was translated from french. An employee of Service Canada lost a flash drive with confidential personal information belonging to more than 1,500 Canadians stored on it. Service Canada is responsible for the security of some very sensitive personal information belonging to thousands (maybe millions) of Canadians. As such, the people that are permitted to access (assuming that role-based access control is enforced at Service Canada) confidential information must be properly trained and made constantly aware of the risks involved with creating, accessing, storing, destroying, and transferring this information. Was this employee aware of the risk of using a flash drive to store this information? If so, then there should be consequences for his/her actions. If not, then Service Canada really needs some help. Training and awareness is only a part of an effective information security program, but it is a very important one. Are flash drives permitted for use at Service Canada? They probably shouldn't be.
The agency sent a letter to the persons concerned to advise them of the situation and asking them to check their bank accounts, their credit file and expenditure on their card.
Among the information contained in the key, were found including the names of persons and their number of social insurance.
One of the victims wanted to know why Canada Service data contained on the key, a minidisk drive, were not protected. "They said they did not want to invest to secure customer data," said Queen Fraser.
[Evan] Obviously, this is an unacceptable response and probably one that wasn't authorized.
There are a few problems with this statement of course... First and foremost, Service Canada employees need training in Security incident management and, in particular, in the important aspect of security incident communications.
[Evan] Among many other things, I'm sure.
Second, this means that they are either not aware of Governement of Canada security policies or Privacy policies as published by Treasury Bord [sic] Secretariat, or they do not care.
The government agency has opened an investigation and added that no identity theft had been reported.
It did not specify whether measures have been taken to avoid another incident.
[Evan] We can only imagine what the current state of information security is at Service Canada. It may be worse than some of us think, and it may be better than others of us think. In my opinion, Service Canada owes a thorough explanation to the victims of this breach and owes detailed assurances to Canadian citizens.
As anyone with some knowledge of IT security practices can tell you, USB keys should not be used to carry delicate, protected or private information.
[Evan] In general, I agree.
If it must be done then, at a minimum, a threat and risk assessment must be done and proper encryption of the data must be used.
[Evan] I absolutely agree. Risk management is critical.
However, mosts organisations that deal with data that is sensitive, protected under privacy laws, such as PIPEDA, commercial trade secrets or of national interest (such as National Defence secrets) AND are serious about IT security would disable floppy disk drives and USB ports on most computers.
[Evan] Most "organisations" should, but unfortunately most do not.
Commentary:
I would like to think that this is an isolated incident at Service Canada, but I don't think that it actually is. I would like to see the Privacy Commissioner of Canada investigate and audit the security program and practices at Service Canada. We'll see if this happens. I don't expect things to change until the people responsible are held responsible.
How does the Canadian government expect the private sector to provide adequate security measures for the protection of personal information if it does not follow best practices and the law itself?
Past Breaches:
Government of Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600
December, 2007 - Passport Canada web site suffers serious breach
June, 2008 - Canadian farmer personal information on stolen CCGA laptop
Service Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600
Posted by Evan Francen at 6/28/2008 11:05 PM 
Categories: Government of Canada, Service Canada, Lost Device
Categories: Government of Canada, Service Canada, Lost Device
Posts Atom 1.0
Service Canada's concept of security is a joke. For access to things like EI reporting and account details (including direct deposit details) you simply need to know:
SIN
province
a 4 digit number provided by SC
Mix that up with extremely lax physical security in their offices (I can attest to open floppy and CD drive bays in at least one office I have been in).
Reply to this