Investigation into massive data breach widens to Justice Department

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.ottawacitizen.com/technology/Investigation+into+massive+data+breach+widens+Justice+Department/8014031/story.html

OTTAWA - A investigation into the federal government's loss of
personal information on over 5,000 Canadians has widened to include
the Justice Department.

The loss of a portable data key containing information connected to
Canada Pension Plan disability benefits was initially thought to
involve only Human Resources and Development Canada, which administers
the program.

But those who filed complaints to the privacy commissioner's office
over the data breach are now being told the incident may have included
another department.

"I wish to advise you that it has come to our attention that an
employee from the Department of Justice Canada may also have been
involved in the incident which resulted in the loss of the USB
device," says the letter.

It goes on to inform recipients a complaint against the Justice
Department was filed Jan. 28.

"Our office is therefore investigating both HRSDC and Justice Canada
regarding the incident," says the letter, dated Feb. 14.

A Justice spokeswoman said the department is investigating as well.

"Administrative investigations are underway to determine all the facts
surrounding this matter," Carole Saindon said in an email.

"The Department of Justice is part of the investigations. Justice
Canada takes the protection of privacy seriously," she said.

"It would be inappropriate to comment further while the investigations
are ongoing."

The same day as the letter, senior officials from the Human Resources
Department were before a House of Commons committee testifying about
the breach.

No mention was made of the possibility another department was involved.

The committee was told that USB key went missing Nov. 16, two days
after it was loaded with unencrypted information on 5,045 people,
including their social insurance number, medical conditions, level of
education and jobs.

The key was handed to an employee working on a secure floor at Human
Resources who used it the next day, but then couldn't find it.

The committee heard that the search for the missing stick included an
employee's home and office, and even a taxi they had taken home the
day after the stick was received.

It was never recovered.

About 10 days earlier, an employee in a different division at Human
Resources had also misplaced an external hard drive — that device
contained student loan information on 583,000 Canadians.

That incident is also under investigation.

A spokeswoman for the privacy commissioner said at this point that
investigation remains focused on Human Resources.

"We've opened a complaint against the Department of Justice in
relation to the incident involving loss of the information stored on
the USB key — not in relation to the other (student loan info)
breach," Anne-Marie Hayden said in an email.

The idea that officials within Justice were looking at people's
medical files raises a host of new questions about what the government
does with people's personal information, said one of the lawyers
involved in a class-action lawsuit against the government.

"Nothing good comes of having the Department of Justice look at your
CPP disability pension application information," said Ted Charney.

Charney said the possibility another department is involved could
change the nature of the lawsuit.

"If it turns out that this personal information has been leaked to a
department who shouldn't have received it, it's an additional breach
of privacy," he said.

"The motives and purpose for that employee getting access to that
information is of very significant concern to us."

Since the two incidents, Human Resources has banned the use of
portable hard drives and unapproved USB sticks.

They have also installed new data loss protection software designed to
keep better tabs on where and how data is being moved around the
department.

"The incidents are unacceptable," Ian Shugart, the department's deputy
minister told the committee earlier this month.

"Sensitive personal information was stored on unencrypted portable
storage devices and not properly secured. This should not have
occurred."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.