It seems that data breaches occur all to often, and while some attacks are unavoidable, others are simply unacceptable. Just as Canada’s Human Resources and Skills Development office.
The Canadian Press reported that a portable hard drive containing the personal information of more than 500,000 people who took out student loans was left unsecured as well as lacked password protection and encryption. To make matters worse, the employees responsible for handling the device were unaware of the sensitivity stored on the hard drive.
The privacy commissioner’s office opened its investigation in January 2013 after the hard drive had been reported missing for two months. The portable hard drive had been stored in a locked filing cabinet inside an employee cubicle and in an envelope hidden under suspended files.
Human Resources and Skills Development Canada acknowledged last year that the drive held data on 583,000 Canada Student Loans Program borrowers over a six-year period from 2000 to 2006.
The missing files include student names, social insurance numbers, dates of birth, contact information and loan balances. The personal contact information for 250 department employees was also included in the breach, and further investigation into the matter reveals that borrowers’ gender, language or marital status may also have been compromised.
Privacy commissioner Chantal Bernier found that department employees had violated certain sections of the federal Privacy Act that dictates the use, disposal and disclosure of personal information.
The department has thus far found no evidence of fraudulent use of the personal data.
According to the privacy commissioner’s report, the department of student loans program had used the one-terabyte hard drive as a backup copy for program information stored in the central computer to ensure its preservation when the department was transitioning between networked drives.
Nevertheless, breaches of this nature are as embarrassing as they are unacceptable; prompting the privacy commissioner’s to suggest the following actions:
- Severely restrict the use of portable storage devices and introduce system software that blocks unauthorized use of such devices on desktop computers
- Periodically examine portable storage devices to ensure they are being used for only legitimate reasons
- Review holdings, disposal of transitory records and classification of remaining records at the appropriate security level
- Institute mandatory training on personal privacy protection and testing every two years
The hard drive is yet to be recovered.