RCMP investigating after Ottawa loses data on 583, 000 students

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.ctvnews.ca/politics/rcmp-investigating-after-ottawa-loses-data-on-583-000-students-1.1111415

OTTAWA -- A federal agency has lost a portable hard drive containing
personal information about more than half a million people who took
out student loans -- prompting investigations by the RCMP and the
national privacy watchdog.

Human Resources and Skills Development Canada said Friday the device
contained data on 583,000 Canada Student Loans Program borrowers from
2000 to 2006.

The missing files include student names, social insurance numbers,
dates of birth, contact information and loan balances of borrowers, as
well as the personal contact information of 250 department employees.

Borrowers from Quebec, Nunavut and the Northwest Territories during
this time period are not affected.

No banking or medical information was on the portable device.

Human Resources Minister Diane Finley said she has called on the RCMP
to assist with the incident, "given its serious nature."

"I want all Canadians to know that I have expressed my disappointment
to departmental officials at this unacceptable and avoidable incident
in handling Canadians' personal information," she said in a statement.

In addition, the office of the federal privacy commissioner announced
Friday it would investigate.

It is too early to gauge the magnitude of the lapse, said Scott
Hutchinson, a spokesman for the privacy czar. "Given the numbers the
department has shared, it looks, at the outset, to be pretty big."

Human Resources is sending letters to affected people, for whom it has
current contact information, to advise them on how to protect their
personal information.

A toll-free number has been set up at 1-866-885-1866 (or
1-416-572-1113 for those outside North America) to help people
determine whether they are affected. It will begin taking calls Monday
morning.

"It's definitely unfortunate," said Adam Awad, national chairman of
the Canadian Federation of Students, which received a briefing on the
loss.

"It highlights how easy it is for information in today's age to be
misplaced, to be misappropriated, to be stolen -- if that's what the
case was."

The group is "very appreciative" of the steps taken to deal with the
breach, he added.

The federation was assured that federal officials who deal with social
insurance numbers have been put on alert to watch for activity
concerning the numbers of those whose files have been lost, Awad said.

The loss of the hard drive from an office in Gatineau, Que., came to
light as the department looked into another breach -- a missing USB
key containing the personal information of more than 5,000 Canadians.

The privacy commissioner's office has already begun a probe of that
incident, which was publicized last month.

Human Resources says that while there is no evidence any of the
information in the latest breach has been used for fraudulent
purposes, an extensive search for the hard drive continues.

In her statement, Finley said she had directed officials to take
immediate action to ensure "that such an unnecessary situation" does
not happen again.

She has requested that departmental employees across Canada receive
information about "the seriousness of these recent incidents" and that
they participate in mandatory training on a new security policy.

The new policy immediately bans portable hard drives within the
department. In addition, unapproved USB keys are not to be connected
to the computer network.

All portable security devices will be assessed for the risk they pose,
to ensure that appropriate safeguards are in place.

New data-loss prevention technology -- which can control or prevent
the transfer of sensitive information -- will also be introduced.

Finally, staff will be subject to disciplinary measures, including
possible firing, should privacy and security codes not be followed.

Alyson Queen, a spokeswoman for the minister, said the Mounties were
contacted Monday. "They will determine what further steps are
required."
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.