Privacy breach at education ministry has similarities to UVic theft of 2012

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.vancouversun.com/opinion/columnists/vaughn+palmer+privacy+breach+education+ministry/11385714/story.html

When the education ministry confessed this week to misplacing a massive
amount of personal information on students, parents and teachers, the news
brought a predictable expression of dismay from the privacy watchdog.

“It is deeply concerning to learn about another case of a major privacy
breach involving unencrypted data,” said Information and Privacy
Commissioner Elizabeth Denham. “Especially troubling, given that the
education records on the external hard drive contained the personal
information of more than three million students.”

Denham ruled out further comment pending the completion of her
investigation. But she’s warned government many times to take stronger
measures to secure the vast amount of personal information in its custody
and one past report of hers in particular suggests where she’s likely to
come down in this case.

Back in January 2012, thieves broke into the main administrative building
at the University of Victoria and made off with a safe containing a digital
storage device with social insurance numbers, banking information and other
sensitive data on some 12,000 current and former employees.

The theft precipitated major concerns about identity theft and outright
plundering of bank accounts. The university would eventually spend millions
tightening security, monitoring bank accounts and making good on some
apparent thefts.

But as Denham found in a report issued in spring 2012, the episode was as
“unfortunate” as it was “preventable.”

The university was storing too much information on current and former
employees in one portable device. “It is vital that public bodies limit the
amount of personal information stored on mobile electronic devices to the
minimum necessary for current operations, frequently review what is being
stored and delete unnecessary information.”

The data was not protected in any way. “Laptops and other mobile storage
devices are, by their very nature, intended to be moved from location to
location. However, their portability increases their vulnerability to being
stolen or lost. These electronic devices require more extensive security
protection, including encryption, when storing personal information on
them.”

The device itself was not sufficiently secured in a physical sense. “The
anchors were not appropriate to prevent the safe being dislodged, and the
thieves were able to remove it. The university staff did not make a
decision to alarm the premises (despite) the amount of personal information
housed there.”

Each of the foregoing concerns is at play in the breach involving the
ministry of education. The personal information on the missing storage
drive spanned decades and covered everything from course grades to medical
problems to child custody arrangements. None of it was encrypted. And the
drive itself was idly stored in a warehouse in such a way that it is
nowhere to be found.

Another possible concern involves an apparent delay in notification. The
privacy commissioner was promptly advised of the UVic theft the day after
it was discovered. Whereas the education minister began a systematic search
for the drive on Aug. 28, but Denham wasn’t advised it was missing until
this past Friday, after the passage of three weeks.

She’s long pressed for legislation to require prompt and mandatory
reporting to her office of all data breaches. This may well provide an
opportunity for her to renew the call.

In announcing the breach Tuesday, cabinet minister Amrik Virk, whose
bailiwick includes responsibility for privacy protection, tried to reassure
the public that the risk of an actual breach of privacy is “low” and went
on to characterize what happened as “a mistake.”

But the government can only guess at the risk of a breach because it
doesn’t know the whereabouts of the drive. Nor can the failure to encrypt
the data and store it properly be minimized as “mistakes.”

For as Denham emphasized in reporting on similar lapses in the UVic case,
privacy legislation imposes a specific and serious obligation on
government: “A public body must protect personal information in its custody
or under its control by making reasonable security arrangements against
such risks as unauthorized access, collection, use, disclosure or disposal.”

Or as the privacy watchdog herself defines the obligation: “To meet the
reasonableness standard for security arrangements, public bodies must
ensure that they have appropriate administrative, physical and technical
safeguards. The measure of adequacy for these safeguards varies depending
on the sensitivity of the personal information, the medium and format of
the records, how the costs of security are estimated, the relationship
between the public body and the affected individuals and how valuable the
information might appear to someone intending to misuse it.”

Turning to what she regarded as the “critical message” from the UVic
episode, Denham underscored how the failure to take all reasonable methods
to protect privacy had harmed the employees as well as the reputation of
the institution itself.

“A privacy breach of this magnitude has a significant negative impact on
the many individuals affected,” she wrote. “Affected individuals are
concerned with the potential for bank fraud and identity theft; the trust
they have placed in the organization to properly secure their personal
information has been damaged.”

In short, what happened at UVic was a breach of privacy, of public trust,
and of obligations under the law. I’ll be surprised if the commissioner
doesn’t reach a similar conclusion regarding the ministry of education.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!