What do the Teamsters, Canada and FedEx have in common?
Date Reported: 
5/23/10
Organization:
Saskatchewan Government Insurance ("SGI")
Contractor/Consultant/Branch:
Ministry of Justice
Location:
Saskatoon, SK Canada
Victims:
Unknown*
*The reports only name a FedEx employee and her co-workers, but the breach could extend further.
Number Affected:
"around 25"
Types of Data:
Names and residential addresses
Breach Description:
"A Saskatoon FedEx worker is concerned about a privacy breach where the addresses of around 25 local employees were leaked from Saskatchewan Government Insurance (SGI) to the union trying to organize the global courier service."
Reference URL:
News Talk 980 CJME
The Province
CBC News
Report Credit:
Danny Grummett, News Talk 980 CJME
Response:
From the online sources cited above:
A Saskatoon FedEx worker is concerned about a privacy breach where the addresses of around 25 local employees were leaked from Saskatchewan Government Insurance (SGI) to the union trying to organize the global courier service.
First a little background…
Last year, the Teamsters Union, a labour group that represents blue-collar and professional workers, launched a full-scale campaign to organize Canadian FedEx employees.
Local FedEx employees were soon being approached by union representatives about joining, but many weren't interested
Soon after, employees noticed union representatives writing down employee licence plate numbers in the parking lot
They (FedEx employees) then began receiving mail at home from the union addressed to the owner of the vehicle, which in many cases wasn't the FedEx employee
Gibson, 37, and five other employees asked SGI to investigate what they suspected was a privacy breach.
They were contacted last month by SGI's chief privacy officer with a letter confirming suspicions their personal information was given out inappropriately.
SGI spokesperson Kim Hambleton said the privacy breach was traced to the Ministry of Justice, where it was discovered an employee had given the information to the union.
[Evan] On one hand, it's refreshing to read that a government agency responded to and followed-up on a legitimate citizen inquiry. On the other hand, it is troubling to read that there are two government agencies involved in a breach.
Privacy breaches are "very infrequent," Hambleton said.
[Evan] The term "very infrequent" is very subjective. If a breach only happens once in a while, does it imply to some degree that this breach is acceptable? We know as information security professionals that we can't prevent all breaches, so maybe a breach or two once in while is acceptable. If we can't prevent every breach, we really need to understand the required emphasis on incident management (identification, reporting, containment, investigation, and response).
Third-party agencies such as other government ministries or law enforcement have limited access to information in SGI's database, she said. SGI's extensive database includes customer contact information, driver and vehicle information, and driving history. The majority of agencies only have access to customer names and addresses, Hambleton said.
[Evan] Not terribly sensitive information, but information that needs protection nonetheless.
"We're very clear on what that information should only be used for and can only be used for," she said. "Obviously, if someone chooses to abuse it that is, you know, (unfortunate), but we make it extremely clear on what it is to be used for."
[Evan] "Obviously"?
Ken Acton, assistant deputy minister with the ministry of Justice, said Friday the employee, who worked in a clerical data-entry position, was suspended without pay and upon return was reassigned to a job with no access to the SGI database.
[Evan] Seem reasonable?
The information was provided inappropriately to a friend at the union, he said.
"We take this very, very seriously," he said. "It's really unfortunate."
"In this case there was a mistake made," Acton said. "Do I think our system is flawed? No."
[Evan] Not exactly the response I would hope for. Breaches only happen because there are flaws. Most people mistakenly think of technological systems as "the system". In the field of information security, the "system" is much broader than that. The "system" is made of administrative, physical, AND technological controls. The most significant risks are often posed by flaws in administrative controls, not technological ones. Does Mr. Acton think their system is flawed? No. Do I think that their "system" is flawed? Yep. The most significant flaw in the "system" might be thinking that there is no flaw in the system. Food for thought.
The privacy breach "opens up a can of worms," Gibson said, and suggests personal information may not be as secure as people believe. The mechanisms in place in government for keeping information private need to be examined, she said.
"People have to know about this," she said.
[Evan] Agreed.
Commentary:
Not exactly the most thrilling breach to cite in the return of The Breach Blog, but it was the first one I came across. It's been a while, so be nice ;)
There really isn't much personal risk to the victims of this breach. It's doubtful that they will suffer any serious loss, but what torqued me was the cavalier attitude and lack of principle.
Let's re-cap. A union uses shady practices to get information on people that they are targeting (for membership). No surprise here, but sure would be nice if someone were held accountable there.
Two government agencies involved
No changes coming. The system is supposedly not flawed. Ho hum, business as usual.
Past Breaches:
Unknown
5/23/10
Organization:
Saskatchewan Government Insurance ("SGI")
Contractor/Consultant/Branch:
Ministry of Justice
Location:
Saskatoon, SK Canada
Victims:
Unknown*
*The reports only name a FedEx employee and her co-workers, but the breach could extend further.
Number Affected:
"around 25"
Types of Data:
Names and residential addresses
Breach Description:
"A Saskatoon FedEx worker is concerned about a privacy breach where the addresses of around 25 local employees were leaked from Saskatchewan Government Insurance (SGI) to the union trying to organize the global courier service."
Reference URL:
News Talk 980 CJME
The Province
CBC News
Report Credit:
Danny Grummett, News Talk 980 CJME
Response:
From the online sources cited above:
A Saskatoon FedEx worker is concerned about a privacy breach where the addresses of around 25 local employees were leaked from Saskatchewan Government Insurance (SGI) to the union trying to organize the global courier service.
First a little background…
Last year, the Teamsters Union, a labour group that represents blue-collar and professional workers, launched a full-scale campaign to organize Canadian FedEx employees.
Local FedEx employees were soon being approached by union representatives about joining, but many weren't interested
Soon after, employees noticed union representatives writing down employee licence plate numbers in the parking lot
They (FedEx employees) then began receiving mail at home from the union addressed to the owner of the vehicle, which in many cases wasn't the FedEx employee
Gibson, 37, and five other employees asked SGI to investigate what they suspected was a privacy breach.
They were contacted last month by SGI's chief privacy officer with a letter confirming suspicions their personal information was given out inappropriately.
SGI spokesperson Kim Hambleton said the privacy breach was traced to the Ministry of Justice, where it was discovered an employee had given the information to the union.
[Evan] On one hand, it's refreshing to read that a government agency responded to and followed-up on a legitimate citizen inquiry. On the other hand, it is troubling to read that there are two government agencies involved in a breach.
Privacy breaches are "very infrequent," Hambleton said.
[Evan] The term "very infrequent" is very subjective. If a breach only happens once in a while, does it imply to some degree that this breach is acceptable? We know as information security professionals that we can't prevent all breaches, so maybe a breach or two once in while is acceptable. If we can't prevent every breach, we really need to understand the required emphasis on incident management (identification, reporting, containment, investigation, and response).
Third-party agencies such as other government ministries or law enforcement have limited access to information in SGI's database, she said. SGI's extensive database includes customer contact information, driver and vehicle information, and driving history. The majority of agencies only have access to customer names and addresses, Hambleton said.
[Evan] Not terribly sensitive information, but information that needs protection nonetheless.
"We're very clear on what that information should only be used for and can only be used for," she said. "Obviously, if someone chooses to abuse it that is, you know, (unfortunate), but we make it extremely clear on what it is to be used for."
[Evan] "Obviously"?
Ken Acton, assistant deputy minister with the ministry of Justice, said Friday the employee, who worked in a clerical data-entry position, was suspended without pay and upon return was reassigned to a job with no access to the SGI database.
[Evan] Seem reasonable?
The information was provided inappropriately to a friend at the union, he said.
"We take this very, very seriously," he said. "It's really unfortunate."
"In this case there was a mistake made," Acton said. "Do I think our system is flawed? No."
[Evan] Not exactly the response I would hope for. Breaches only happen because there are flaws. Most people mistakenly think of technological systems as "the system". In the field of information security, the "system" is much broader than that. The "system" is made of administrative, physical, AND technological controls. The most significant risks are often posed by flaws in administrative controls, not technological ones. Does Mr. Acton think their system is flawed? No. Do I think that their "system" is flawed? Yep. The most significant flaw in the "system" might be thinking that there is no flaw in the system. Food for thought.
The privacy breach "opens up a can of worms," Gibson said, and suggests personal information may not be as secure as people believe. The mechanisms in place in government for keeping information private need to be examined, she said.
"People have to know about this," she said.
[Evan] Agreed.
Commentary:
Not exactly the most thrilling breach to cite in the return of The Breach Blog, but it was the first one I came across. It's been a while, so be nice ;)
There really isn't much personal risk to the victims of this breach. It's doubtful that they will suffer any serious loss, but what torqued me was the cavalier attitude and lack of principle.
Let's re-cap. A union uses shady practices to get information on people that they are targeting (for membership). No surprise here, but sure would be nice if someone were held accountable there.
Two government agencies involved
No changes coming. The system is supposedly not flawed. Ho hum, business as usual.
Past Breaches:
Unknown
Posted by Evan Francen at 5/26/2010 3:15 PM 
Categories: Employee Theft, SK Government Insurance, FedEx, Ministry of Justice
Categories: Employee Theft, SK Government Insurance, FedEx, Ministry of Justice
Posts Atom 1.0
Comments