Ontario’s privacy commissioner is angry that two people in the provincial elections office disregarded government policy and left unencrypted personal data of over 2 million voters on two USB drives that disappeared in the spring.
“I’m deeply disturbed,” Ann Cavoukian said Tuesday in an interview.
It’s “the largest data breach that has occurred in the province,” she said from either a public agency or a private sector business. The risk, she added, is someone could access personal information and steal peoples’ identities.
It’s not merely a black eye for the province. It’s also an embarrassment because Cavoukain (pictured above) is known around the world as a privacy advocate.
“One of the reasons I was so disturbed is the data on millions of people was not encrypted,” she added.
He told reporters the two drives have names, addresses, gender, birth dates and “any other personal information updates provided to Elections Ontario” by roughly half of people on the voters list last fall, and possibly, whether they voted. What’s not on the drives ae social insurance numbers, health card numbers, drivers licence information, credit card or banking information.
The department has done a “rigorous” search for the drive, Essensa said, and a full investigation by a private law firm and a forensics security firm, an investigation still ongoing. It’s also been reported to the Ontario Provincial Police.
Meanwhile, he’s advising all Ontarians to watch for “potential unusual activity” regarding any transactions with the province, banks, utilities and retailers.
An obviously frustrated Cavoukian said she has issued several orders to provincial civil servants that if data is to be transferred from a provincial computer to a portable device either it has to be de-personalized or encrypted.
However, for some reason neither happened in this instance at Elections Ontario.
A chastened Essensa told reporters that the department’s policies “were not followed” and couldn’t explain why.
However, he tried to suggest that the odds of the data being misused is low. While not encrypted, he said, the data can only be accessed by someone using the department’s propriety management software, he said, or by a person with “fairly advanced programming skills” using “very specialized commercially available software.”
“If you were to put these keys into your computer now there’s no [file] extension that comes on the files. You would not be able to identify exactly what software you would need to utilize them.”
“There is no evidence that copies of personal information on two USB keys have been improperly accessed,” he added, but out of “an abundance of caution” is telling the public now.
However, Cavoukian said she urged Essensa on July 5, when he told her of the incident, to make it immediately public.
It only came to light Monday from a CBC report after Ontario premier Dalton McGuinty and other political leaders were told.
After conducting what Essensa called a “rigorous” internal search and investigation, on May 24 Essensa hired a private law firm and a forensics security firm to take it further. On their recommendation the Ontario Provincial Police was notified on June 13.
Essensa said he didn’t alert the public before because the size of the loss hadn’t been determined.
Two civil servants who had responsibility for the drives “are no longer with Elections Ontario,” he said. Once the investigations are finished other actions may be taken, he added.
“I take this matter extremely seriously,” Essensa told reporters, “and I want to sincerely apologize to all Ontarians for any concern this notification may cause.”
The bumbling wasn’t restricted to the loss of the drives. The investigation by Inkster Inc. – a forensic investigation firm headed by former RCMP Commissioner Norman Inkster – found that the Elections Ontario staff working at the leased building plainly ignored security policies that were explained to them.
–There was encryption software on the USB drives, but no one used it;
–After copying the data from the USB drives to their laptops, staff were using the USB drives to back up data;
–Staff had been told to use Windows’ password and compression software for files on their laptops, but they weren’t regularly doing it;
–Staff might have had the same basic default passwords on their laptops used at the leased facility. They were prompted to change the passwords when work started, but that wasn’t enforced by the operating system;
–“While transfer and back-up procedures were apparently repeatedly reviewed with the staff,” the Inkster report said, “there were no written instructions provided specifying deletion of the data on a USB drive.”
–Staff were verbally told to secure the drives when they weren’t being used – to no avail.
“It’s definitely a corporate culture problem,” says Jessica Ireland, a security analyst with Info-Tech Research, a story that isn’t uncommon.
“They had the right policies on paper, but I don’t think paper policies can push people to stick with them.”
A data leakage prevention policy should be considered, she said, as well as regular compliance audits to ensure staff are following data security rules. If necessary, the audits can be conducted quarterly.
Essensa said Cavoukian’s office will conduct its own investigation and advice on policy.
Cavoukian, who said she’s “been trying to drum this [security] into users” for some time, noted that “personal information is the currency of Elections Ontario … You have to guard this with your life.”