USB flash drive

Data Breach investigation widens to Justice Department

April 10th, 2013

An investigation for reviewing the federal government’s personal data loss took place on over 5,000 Canadians. This has lead to include the Justice Department as well.

There has been a loss of a portable data key which contained the data connected to Canada Pension Plan disability benefits. At first, it was thought to involve the program administered by only Human Resources and Development Canada.

Also, it was told to the victims of the data breach, who had filed their complaints to the privacy commissioner’s office that the incident may have included another department as well.

“I wish to advise you that it has come to our attention that an employee from the Department of Justice Canada may also have been involved in the incident which resulted in the loss of the USB device,” says the recovered letter.

It goes on to inform the recipients of a complaint that was filed against the Justice Department on Jan. 28.

“Our office is therefore investigating both HRSDC and Justice Canada regarding the incident,” says the letter, dated Feb. 14.

It was also found that the justice department too investigating the matter, said a spokeswoman in the department.

“Administrative investigations are underway to determine all the facts surrounding this matter,” Carole Saindon said in an email.

“The Department of Justice is part of the investigations. Justice Canada takes the protection of privacy seriously,” she said.

“It would be inappropriate to comment further while the investigations are ongoing.”

The same day as the letter was recovered; the senior officials at the Human Resources Department were present before a House of Commons committee vouching for the matters about the data breach.

The committee was told that the key of the USB went missing since last year, and two days later it was loaded with unencrypted data and information on 5,045 people, which included social security numbers such as social insurance number, medical conditions, level of education and jobs. To avoid such hazards it is important to enable encryption software in all the networked systems used in organizations.

This USB key was supposed to be handed to one of the employees working on a secure floor at Human Resources who used it the very next day, but later couldn’t find it back.

An employee working in different division at Human Resources also has misplaced an external hard drive earlier – and that the device was supposed to contain the student loan information on 583,000 Canadians which was very confidential. Therefore, the investigation about this incident is ongoing.

At this point, it was told by a spokesperson at the privacy commissioner’s office that the investigations remain aimed at Human Resources.

“We’ve opened a complaint against the Department of Justice in relation to the incident involving loss of the information stored on the USB key – not in relation to the other (student loan info) data breach,” Anne-Marie Hayden said in an email.

Initially, the idea was that the Justice officials were looking at people’s personal medical files which raised a host of many new questions and that what does the government officials do with such personal information, said by a lawyer involved in a class-action lawsuit against the government.

“Nothing good comes of having the Department of Justice look at your CPP disability pension application information,” said Ted Charney.

He also said, there might be a possibility of another department involvement, which could change the nature of the whole lawsuit.

“If it turns out that this personal information has been leaked to a department who shouldn’t have received it, it’s an additional breach of privacy,” he said.

“The motives and purpose for that employee getting access to that information is of very significant concern to us.”

Since the occurrence of these two incidents simultaneously, Human Resources has banned the usage of portable hard disk drives as well as unapproved USB sticks.

Also, they have attempted to install new data loss protection software, i.e., encryption software which is designed to keep better tabs on where and how data is being moved around the department.

The Justice department’s deputy minister Ian Shugart told the committee, “The incidents are unacceptable”, earlier this month.

“Sensitive personal information was stored on unencrypted portable storage devices and not properly secured. This should not have occurred.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta