Canadian Voters Hit by Massive Security Breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.esecurityplanet.com/network-security/canadian-voters-hit-by-massive-security-breach.html

As many as 2.4 million voters' names, genders, birthdates and
addresses were exposed.

Elections Ontario yesterday announced that two USB drives were lost
that contained information on as many as 2.4 million Canadians.

"In a statement [PDF file] issued July 17, Chief Electoral Officer
Greg Essensa says that the two USB keys contained information on
voters in 20 to 25 electoral districts," writesGovInfoSecurity's
Jeffrey Roman. "There are 107 electoral districts in Ontario. A
spokesperson for Elections Ontario says some laptops used by staff
were not connected to the organization's network, so the USB drives
were used to transfer information among those laptops. The potentially
compromised information includes full name, gender, date of birth,
address, as well as administrative codes used solely for election
purposes and any other personal information updates provided to
Elections Ontario by voters during the last election period, the
statement says."

"Elections Ontario stressed that protocol was not followed in this
instance," writes The Globe and Mail's Caroline Alphonso. "Its
policies dictate that USB keys must be password protected and
encrypted if they carry personal information, and that the keys must
be in the custody of staff at all times. In this particular case, two
staff members, who were working in a warehouse in late April updating
the permanent register of electors for Ontario, did not follow the the
rules. The two were supposed to secure the USB keys at the end of the
work day, but failed to do so. The next morning when they returned to
work, the keys were gone."

"That prompted Elections Ontario to conduct a search, an internal
investigation and then a third-party review," writesThe Toronto Sun's
Debora Van Brenk. "Forensic security firm Inkster Incorporated
discovered several flaws, including that standard data-security steps
had been overlooked or ignored; encryption software available on the
drives hadn’t been activated; and information was often transferred
back and forth between secure laptops and insecure portable drives. In
addition, all staff members shared the same default password until
after the USB sticks went missing -- something Inkster said called 'a
poor practice and a security risk.'"

"The agency is recommending that voters in the affected districts
monitor and verify their personal transaction statements from
governments, financial institutions, businesses and other institutions
to detect any unusual activity,"Infosecurity reports.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.