TRENDING:

Canadian Breach: Sorting Out the Cause

Lost Hard Drive Exposed Student Loan Information Jeffrey Roman (gen_sec) • March 26, 2014    
Canadian Breach: Sorting Out the Cause

A new report from the Office of the Privacy Commissioner of Canada says gaps in carrying out security policies led to the exposure of 583,000 records last year at Employment and Social Development Canada, which administers student loans. The breach involved an unencrypted portable hard drive that went missing.

See Also: Keeping Your Side of the Street Clean: 5 Cyber-Hygiene Facts You Wish You Knew Earlier

Compromised information included names, social insurance numbers, dates of birth, contact information and loan balances for borrowers who got loans from 2000 to 2006 through the Canada Student Loans program administered by ESDC, which is responsible for developing, managing and delivering social programs and services.

The report from the privacy commissioner cited weaknesses in information management controls and physical security controls at ESDC. The commissioner also cited shortcomings in employee awareness of department policies and procedures.

"This incident should serve as a lesson for all organizations," says Chantal Bernier, interim privacy commissioner. "Protecting personal information cannot be ensured by having policies on paper. Policies must be put into practice each and every day and monitored regularly."

According to the privacy commissioner's investigation, staff of ESDC's Canada Student Loans Program had used a department-owned, 1 terabyte portable hard drive to make a back-up copy of program information stored in the central computer to ensure its preservation when that data was being transferred between networked drives.

Due to the gaps in departmental practices, ESDC couldn't conclusively identify what information was on the portable hard drive or when it had been last updated, the privacy commissioner's report says.

The privacy commissioner has recommended ESDC take the following mitigation steps:

  • Severely restrict the use of portable storage devices and introduce system software that blocks the use of any such devices on desktop computers without specific authorization; all sensitive or personal information stored on portable devices must be protected by strong technological safeguards, including encryption;
  • Periodically examine portable storage devices to ensure they are being used solely for the authorized reasons;
  • Review all material holdings, dispose of transitory records and classify remaining records at the appropriate security level; and
  • Instigate a new integrated learning strategy that focuses on the protection of personal privacy and includes mandatory participation for all employees and mandatory testing every two years.

The privacy commissioner will follow up with ESDC in one year to measure progress that's been made in implementing the recommendations.

View the privacy commissioner's report.

Previous
Report: VA Needs to Improve InfoSec
Next
Target CFO Grilled in Senate Hearing

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.



Around the Network

Addressing Security Gaps and Risks Post-M&A in Healthcare
Addressing Security Gaps and Risks Post-M&A in Healthcare
The State of Security Leadership
The State of Security Leadership
Generative AI: Embrace It, But Put Up Guardrails
Generative AI: Embrace It, But Put Up Guardrails
Critical Considerations for Generative AI Use in Healthcare
Critical Considerations for Generative AI Use in Healthcare
What's Behind Disturbing Breach Trends in Healthcare?
What's Behind Disturbing Breach Trends in Healthcare?
Using AI to Separate the Good Signals From the Bad
Using AI to Separate the Good Signals From the Bad
Why Entities Should Review Their Online Tracker Use ASAP
Why Entities Should Review Their Online Tracker Use ASAP
How Generative AI Will Improve Incident Response
How Generative AI Will Improve Incident Response
Threat Modeling Essentials for Generative AI in Healthcare
Threat Modeling Essentials for Generative AI in Healthcare
Why Connected Devices Are Such a Risk to Outpatient Care
Why Connected Devices Are Such a Risk to Outpatient Care

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.