Police have begun an investigation into the theft of computer equipment from a Canada Customs and Revenue Agency (CCRA) office which contained information on businesses and individuals, including some social insurance numbers.
Four laptop computers - one of which was acting as a server - and two desktops were stolen on Sept. 4 from the agency's Laval, Que. Tax Services Office. According to CCRA spokesperson Colette Gentes-Hawn, despite the theft's occurrence nearly one month ago, the CCRA waited until Sept. 30 to alert the public in order to figure out exactly what information was stolen.
The CCRA has stated that the databases contained no personal income tax information, and it has reconstructed them in order to recapture any lost data. In a statement, the CCRA said this process has enabled it to assess what information could have been stolen and potentially inappropriately used. The agency said in its statement that the majority of the information contained in the equipment was related to people within the construction industry including contractors and sub-contractors, and could include information such as names, addresses, payments and business numbers. It also stated that the records contained some social insurance numbers.
The government has started to send letters to approximately 120,000 people who might be affected, explaining the situation and advising them on the appropriate steps to be taken.
Gentes-Hawn told IT World Canada that perpetrators gained access to the Laval office by throwing a rock through a window. However, she added that the theft was indeed the result of human error as the main laptop, which held the majority of the stolen information, should have been locked away in a safe room - which it was not.
Revenue Minister Elinor Caplan has ordered the security of all CCRA offices across Canada to undergo additional review, and the CCRA is currently in the process of barring all windows on that particular building.
Despite changes in physical security, the CCRA did not comment on any new measures in terms of IT security. Although the stolen laptop/server was password-protected, the data on the machine was not encrypted. Gentes-Hawn did not know how many CCRA employees had access to the password.
According to Rosaleen Citron, CEO of Burlington, Ont.-based security software firm Whitehat Inc., a "smash and grab" can happen to anybody at anytime, but corporations need to ensure that data is protected. Assets like desktops and laptops can be replaced but information, if placed in the wrong hands, can become dangerous.
"It doesn't matter if it was an old database," Citron said referring to the information held on the CCRA stolen equipment. "The fact is that it had social insurance numbers, addresses, et cetera. That's all you need for identity theft. That's all you need in the black market to get a passport. It's all a terrorist needs to get their hands on."
She explained that a new privacy act coming into place in January 2004 will ensure that corporations secure all data, regardless of age. She strongly recommended that businesses encrypt all data that can be accessed by someone. She said that what has happened in the case of the CCRA is what Whitehat calls the "biological infestation" - essentially, people make mistakes.
"(What you have to do) is take that option away by encrypting," she said. "You have to protect your data and you have to protect the identity and information of your clients."
So far no arrests have been made in the case.
- With files from Cindy Watson, IT World Canada