BreachExchange mailing list archives
Canadian Voters Hit by Massive Security Breach
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 19 Jul 2012 01:14:55 -0400
http://www.esecurityplanet.com/network-security/canadian-voters-hit-by-massive-security-breach.html As many as 2.4 million voters' names, genders, birthdates and addresses were exposed. Elections Ontario yesterday announced that two USB drives were lost that contained information on as many as 2.4 million Canadians. "In a statement [PDF file] issued July 17, Chief Electoral Officer Greg Essensa says that the two USB keys contained information on voters in 20 to 25 electoral districts," writesGovInfoSecurity's Jeffrey Roman. "There are 107 electoral districts in Ontario. A spokesperson for Elections Ontario says some laptops used by staff were not connected to the organization's network, so the USB drives were used to transfer information among those laptops. The potentially compromised information includes full name, gender, date of birth, address, as well as administrative codes used solely for election purposes and any other personal information updates provided to Elections Ontario by voters during the last election period, the statement says." "Elections Ontario stressed that protocol was not followed in this instance," writes The Globe and Mail's Caroline Alphonso. "Its policies dictate that USB keys must be password protected and encrypted if they carry personal information, and that the keys must be in the custody of staff at all times. In this particular case, two staff members, who were working in a warehouse in late April updating the permanent register of electors for Ontario, did not follow the the rules. The two were supposed to secure the USB keys at the end of the work day, but failed to do so. The next morning when they returned to work, the keys were gone." "That prompted Elections Ontario to conduct a search, an internal investigation and then a third-party review," writesThe Toronto Sun's Debora Van Brenk. "Forensic security firm Inkster Incorporated discovered several flaws, including that standard data-security steps had been overlooked or ignored; encryption software available on the drives hadn’t been activated; and information was often transferred back and forth between secure laptops and insecure portable drives. In addition, all staff members shared the same default password until after the USB sticks went missing -- something Inkster said called 'a poor practice and a security risk.'" "The agency is recommending that voters in the affected districts monitor and verify their personal transaction statements from governments, financial institutions, businesses and other institutions to detect any unusual activity,"Infosecurity reports. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Canadian Voters Hit by Massive Security Breach Jake Kouns (Jul 19)