Police have begun an investigation into the theft of computer equipment from a Canada Customs and Revenue Agency (CCRA) office, which contained information on businesses and individuals, including social insurance numbers.
Four laptop computers – one of which was acting as a server – and two desktops were stolen on Sept. 4 from the agency’s Laval, Que., Tax Services Office. According to CCRA spokesperson Colette Gentes-Hawn, the agency waited until Sept. 30 to alert the public so it could first determine what information was stolen.
The CCRA says the databases contained no personal income tax information, and it has reconstructed them in order to recapture any lost data. In a statement, the CCRA said this process has enabled it to assess what information could have been stolen and, potentially, inappropriately used. The agency also stated that the majority of the information contained in the equipment was related to people within the construction industry, including contractors and sub-contractors, and could include information such as names, addresses, business numbers and social insurance numbers.
The CCRA has started to send letters to approximately 120,000 people who might be affected.
It is explaining the situation and advising them on the appropriate steps to be taken.
Gentes-Hawn told ComputerWorld Canada that perpetrators gained access to the Laval office by throwing a rock through a window. However, she added that the theft was indeed the result of human error as the main laptop, which held the majority of the stolen information, should have been locked away in a safe room.
Revenue Minister Elinor Caplan has ordered the security of all CCRA offices across Canada to undergo additional review, and the CCRA is currently in the process of barring all windows on that particular building.
The CCRA did not comment on the possibility of any new IT security measures. Although the stolen laptop/server was password-protected, the data on the machine was not encrypted. Gentes-Hawn said she did not know how many CCRA employees had access to the password.
According to Rosaleen Citron, CEO of Burlington, Ont.-based security software firm Whitehat Inc., a “smash and grab” can happen to anybody at anytime, but corporations need to ensure that their data is protected. Assets like desktops and laptops can be replaced but information, if placed in the wrong hands, can become dangerous.
“It doesn’t matter if it was an old database,” Citron said referring to the information held on the CCRA stolen equipment. “The fact is that it had social insurance numbers, addresses, et cetera. That’s all you need for identity theft. That’s all you need in the black market to get a passport. It’s all a terrorist needs to get their hands on.”
She explained that the new privacy act coming into place in January 2004 will ensure that corporations secure all data, regardless of age. She strongly recommended that businesses encrypt all data that can be accessed by someone. She said that what has happened in the case of the CCRA is what Whitehat calls the “biological infestation” – essentially people mistakes. “(What you have to do) is take that option away by encrypting,” she said. “You have to protect the identity and information of your clients.”