Gov't data stolen from car

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.thestarphoenix.com/news/data+stolen+from/8006032/story.html

The federal agency charged with preventing the flow of money to
organized crime and terrorists had an encrypted laptop, hard copy
reports and an unencrypted USB memory stick stolen in October,
exposing the personal information of patrons to two Alberta casinos,
including how much money they gambled.

The theft of information from the Financial Transactions and Reports
Analysis Centre of Canada is a first for the agency, which has
detailed privacy regulations built into the legislation guiding its
operations.

The encrypted laptop and reports were inside a locked briefcase that
was stolen out of the locked trunk of a rental car in broad daylight
while a FINTRAC employee had left the vehicle in a Calgary parking lot
while apparently going for lunch.

Thefts from parked vehicles is not an unusual occurrence in Calgary,
but a briefing note for Finance Minister Jim Flaherty says it isn't
clear whether the theft was targeted.

Inside the locked briefcase was information on how two casinos and a
"dealer in precious metals and stones" report transactions to FINTRAC
and how they keep client information, in accordance with federal laws
combating money laundering and terrorist financing. There was no
credit card or bank account information stolen, but other personal
data on Canadians were on the pages of the reports that went missing.

"This theft included personal information, such as name addresses,
date of birth and occupation, as well as the reference numbers of
government issued identification documents used to ascertain the
identity of patrons," the ministerial note reads. "It also includes
data such as the amounts patrons may have spent or received while at
the casinos."

A spokesman for FINTRAC said Friday that the laptop contained
information on about 480 people, with about 290 more on the USB key or
in the reports. Spokesman Darren Gibb said all 777 individuals
affected by the breach were notified through registered letters sent
in early November.

Gibb said the agency believes no one besides authorized staff would be
able to get into the encrypted laptop.

The agency conducted an internal investigation and found "a security
procedure in the use of USB keys was not followed," Gibb said. As for
the employee involved in the incident, Gibb said: "Appropriate
measures have been taken."

Gibb said the agency has changed the way it transports information and
has put in place new technologies to reduce the risk of breaches,
although he couldn't go into detail citing security reasons. Staffs
were also reminded in two memorandums about the department and
government policies about handling and securing information.

© Copyright (c) The StarPhoenix
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.