Friday, January 11, 2013

Government release on the loss of personal information of 583,000 Canadian student loan recipients

Here is the (ironically titled) media release regarding the loss of personal information of more half a million Canadians' personal information. Note that the government has been aware of this breach for over a month and chose to issue the release on a Friday afternoon. Also note that the "new policy" described suggests that storing this information on an unencrypted portable hard-drive was acceptable under the previous policy.

Protecting Canadians' Personal Information at HRSDC

January 11, 2013 13:02 ET

Protecting Canadians' Personal Information at HRSDC

OTTAWA, ONTARIO--(Marketwire - Jan. 11, 2013) - The Honourable Diane Finley, Minister of Human Resources and Skills Development, has issued the following statement regarding the loss of an external hard drive from an HRSDC office in Gatineau, Quebec which contained personal information of 583,000 Canada Student Loans Program borrowers between 2000-2006:

Full details are available in the attached backgrounder.

"I want all Canadians to know that I have expressed my disappointment to departmental officials at this unacceptable and avoidable incident in handling Canadians' personal information. As a result, I have directed that departmental officials take a number of immediate actions to ensure that such an unnecessary situation does not happen again.

"The department will be making every effort to contact the individuals whose information was lost. This includes direct notification to those for whom we have current contact information. I am releasing all details on the breach publicly and we will be working with a number of external partners to ensure that Canadians are made aware of the data loss. The Department is continuing its investigation. The Office of the Privacy Commissioner has been consulted. My office has engaged the Royal Canadian Mounted Police on this matter, given its serious nature.

"I have requested that HRSDC employees across Canada receive comprehensive communications on the seriousness of these recent incidents and that they participate in mandatory training on a new security policy to ensure that similar situations do not occur again. Further, I have instructed that the new policy contain disciplinary measures that will be implemented for staff, up to and including termination, should the strict codes of privacy and security not be followed.

"On behalf of our Government, I want to reassure Canadians that we are serious about protecting their personal information. As Minister, I will ensure that every effort is taken so that HRSDC meets the expectations of Canadians in keeping their information safe and secure."

This news release is available in alternative formats on request.

BACKGROUNDER

In late 2012, the department of Human Resources and Skills Development Canada (HRSDC) informed the Office of the Privacy Commissioner of the loss of a USB key, which contained the personal information of over 5,000 Canadians.

While reviewing this incident, departmental officials learned of a subsequent serious loss of Canadians' personal information.

Although the search is ongoing, an external hard drive has been deemed lost from an HRSDC office in Gatineau, Quebec.

The Department is continuing its investigation. The Office of the Privacy Commissioner has been consulted. The office of the Minister has engaged the Royal Canadian Mounted Police on this matter, given its serious nature.

Details regarding loss of the hard drive

A hard drive containing personal information on 583,000 Canada Student Loans borrowers dated from 2000-2006 has been deemed lost at an HSRDC office in Gatineau, Quebec, although the search is ongoing.

The file contained information including student names, dates of birth, Social Insurance Numbers, addresses and student loan balances from recipients across the country (except Quebec, Nunavut and the Northwest Territories as they manage their own student loan programs). Personal contact information of 250 HRSDC employees was also on the hard drive.

No banking or medical information was included on the drive.

The client information was saved onto an external hard drive as a back-up storage option.

Timeline of events

November 5, 2012: A HRSDC employee discovered that an external hard drive was missing. Search efforts began.

November 28: The Departmental Security Officer was notified.

December 6: Discovery that personal information of Canada Student Loans Program clients was on the hard drive.

December 14: The Office of the Privacy Commissioner was notified.

January 7: The incident was referred to the Royal Canadian Mounted Police.

January 11: Canadian public was informed of the incident.

Process for inquiries and more information

HRSDC is sending letters to individuals affected, for whom we have current contact information, to advise them of the incident and what steps to take to help protect their personal information.

A toll-free number has been set-up at 1-866-885-1866 (or 416-572-1113 for those outside of North America) for individuals to verify if they are affected by this incident, and to ask additional questions regarding this issue. Hours of operation will be 8:00 a.m.-8:00 p.m. (EST), 7 days a week, starting Monday, January 14, 2013, for as long as needed.

People with a hearing or speech impairment and using a teletypewriter (TTY) can call 1-800-263-5883. Hours of operation will be 8:00 a.m. -8:00 p.m. (EST), 7 days a week, starting Monday, January 14, 2013, for as long as needed.

All details on this incident and how Canadians can protect their personal information are available at http://www.canlearn.ca/eng/main/spotlighton/privacy/index.shtml

New HRSDC policy for storing secure information

The Minister has directed that the overall policy for security and storage of personal information at HRSDC be strengthened and improved. The highlights are:

  • New, stricter protocols to be implemented immediately. Portable hard drives are no longer permitted. Unapproved USB keys are not to be connected to the network;
  • Immediate risk assessments of all portable security devices used in the Department's work environment to ensure that appropriate safeguards are in place; these assessments will continue on a regular, ongoing basis;
  • Mandatory training for all employees regarding the proper handling of sensitive information, including personal information;
  • Implement new data loss prevention technology, which can be configured to control or prevent the transfer of sensitive information;
  • Disciplinary measures that will be implemented for staff, up to and including termination, should the strict codes of privacy and security not be followed.

2 comments:

Anonymous said...

Potentially both my wife and I are affected by this problem. I think that the federal and provincial (B.C.) government has done a very poor job of one protecting my privacy - has also breached my privacy on at least one occasion by mailing my student loan balance letters to my in-laws when I have never changed my address with them (most current still on file). As a result I think a class action suit be opened in which damages be awarded in general for the amount owed on the student loan itself. It will cost at least this much to repair any current and future damage done, if my personal information is hacked/sold.

Anonymous said...

This is not the first time...a few years ago I requested copies of my original loans and a collection agency who worked to collect the student loans sent me an original which belongs to someone else with all of their private information. I asked to have this reviewed and never received any further contact.