Canada’s privacy watchdog says somefederal departments have no security procedures in place for recovering, wipingor encrypting lost and stolen BlackBerry smart phones.
The oversight is just one of a laundrylist of potential privacy breaches highlighted by Privacy Commissioner JenniferStoddart in a new government report released Tuesday.
The report examined how fivefederal departments — Canada Mortgage and Housing Corporation, CorrectionalService of Canada, Health Canada, Human Resources and Skills DevelopmentCanada, and Indian and Northern Affairs Canada — dispose of old PCs and managetheir wireless security infrastructure. The five departments represent trendsoccurring throughout other government departments and were chosen because ofthe significant amount of personal data they collect, Stoddart said.
The report found that none of thefive departments had fully assessed the threats and risks associated with smartphones and wireless communications.
Other notable wireless security issues found during theaudit include the lack of any encryption policies for data stored on BlackBerrydevices, the liberal use of BlackBerry’s PIN-to-PIN messaging system amongbureaucrats, and weak password policies for mobile devices.
In an interview with ComputerWorldCanada, Stoddart said wireless security, mobile data encryption andBlackBerry usage policies “just don’t seem to be on the list of priorities” formost government departments.
“I find that very concerning. The implications formistreating personal information are just enormous,” she said.
While the problem is not particular to Canada, she said, her report wasintended to shed light on the potential privacy risks in an attempt to preventa large-scale data breach from occurring. On a positive note, Stoddart said, all fiveorganizations have agreed to respond to the report andwill establish documented procedures for responding to lost or stolen devices.
Government-issued BlackBerry usage also came under fire inthe report, as Stoddart said all five of the government agencies allow the useof BlackBerry Messenger platform.
The report said this direct form of communicationcircumvents the government’s corporate server and, according to CommunicationsSecurity Establishment Canada, “is vulnerable to interception.”
The Communications Security Establishment Canada returned acall to ComputerWorld Canada, butdeclined to comment on the story.
Stoddart said that while these government departments havepolicies that state PIN-to-PIN messaging should only be used in “cases ofemergency,” she widespread usage throughout all departments.
In addition to the wireless audit, Stoddart also expresseddisappointment at the way government agencies disposed of electronic files onold PC hardware.
One “disturbing” example, Stoddart said, occurred after heroffice tested over 1,000 surplus computers that 31 federal departments donatedto the Computers for Schools program. She said over 90 per cent of the federaldepartments donating to the program had failed to properly wipe out all of thedata.
Some of the data uncovered in the audit was so highlysensitive that the PCs had to be returned to their originating departments fora proper data wipe, Stoddart said.
A full list of Stoddart’s findings can be found here.
