The Globe & Mail is reporting that approximately 2,700 personal tax files are missing after a Canada Revenue Agency employee did something that appears staggeringly stupid:
2,700 personal tax files go missing after auditor takes work home - The Globe and Mail
... The major breach occurred in early 2006, when an auditor in the agency’s Toronto office asked a government computer technician to download 37,488 of her e-mails and 776 documents onto 16 CDs. The confidential material covered the years 2000 to 2006, and was not encrypted as required by agency rules.
The woman took the CDs home, and allowed a male friend to copy at least one of them to a laptop.
The breach only came to light when the woman produced the CDs during a grievance hearing before the Public Service Labour Relations Board in 2008. She wanted the panel to read a key 2005 e-mail on one of the CDs, in support of her grievance that the CRA had not accommodated her health problems....
I can't imagine the justification for having taken the unencrypted CDs home. Copying them onto another laptop is simply surreal. But then not reporting the breach of any of the taxpayers involved or to the Privacy Commissioner is staggering.
This is further support to my belief that one of the most significant risks to data security is portable data. If employees are given secure remote access to their work data, the possibility of breaches such as this is virtually eliminated.