Ontario’s privacy commissioner is angry that two people in the provincial elections office disregarded government policy and left unencrypted personal data of over 2 million voters on two
USB drives that disappeared in the spring.
“I’m deeply disturbed,” Ann Cavoukian said Tuesday in an interview.
It’s “the largest data breach that has occurred in the province,” she said from either a public agency or a private sector business. The risk, she added, is someone could access personal information and steal peoples' identities.
It’s not merely a black eye for the province. It’s also an embarrassment because Cavoukain (pictured above) is known around the world as a privacy advocate.
“One of the reasons I was so disturbed is the data on millions of people was not encrypted,” she added.
Elections Ontario isn’t exactly clear what’s on the drives, according to
chief electoral officer Greg Essensa – or whether the drives were stolen or are merely missing.
(Photo by IT World Canada)
He told reporters the two drives have names, addresses, gender, birth dates and “any other personal information updates provided to Elections Ontario” by roughly half of people on the voters list last fall, and possibly, whether they voted. What's not on the drives ae social insurance numbers, health card numbers, drivers licence information, credit card or banking information.
But after several months of investigating it still isn’t sure what names were on the drives. It believes they covered 20 to 25 of the 49 electoral districts being worked on by staff at the time.
RELATED CONTENT
Even forensic experts hired by the department can’t figure out which ridings were on the drives.
The department has done a “rigorous” search for the drive, Essensa said, and a full investigation by a private law firm and a forensics security firm, an investigation still ongoing. It’s also been reported to the Ontario Provincial Police.
Meanwhile, he’s advising all Ontarians to watch for “potential unusual activity” regarding any transactions with the province, banks, utilities and retailers.
An obviously frustrated Cavoukian said she has issued several orders to provincial civil servants that if data is to be transferred from a provincial computer to a portable device either it has to be de-personalized or encrypted.
However, for some reason neither happened in this instance at Elections Ontario.
A chastened Essensa told reporters that the department’s policies “were not followed” and couldn’t explain why.
However, he tried to suggest that the odds of the data being misused is low. While not encrypted, he said, the data can only be accessed by someone using the department’s propriety management software, he said, or by a person with “fairly advanced programming skills” using “very specialized commercially available software.”
“If you were to put these keys into your computer now there’s no [file] extension that comes on the files. You would not be able to identify exactly what software you would need to utilize them.”
“There is no evidence that copies of personal information on two USB keys have been improperly accessed,” he added, but out of “an abundance of caution” is telling the public now.
However, Cavoukian said she urged Essensa on July 5, when he told her of the incident, to make it immediately public.
It only came to light Monday from a CBC report after Ontario premier Dalton McGuinty and other political leaders were told.
Elections Ontario, which prepares voters lists and logistics for every provincial election, was updating the voter registry at a leased building in the Toronto suburb of Scarborough in April instead of the usual secured premise. The temporary location was needed because the Oct. 6, 2011 election resulted in a minority government, which meant Elections Ontario had to prepare for the possibility of another election soon. That included updating the permanent voter registry.
According to a preliminary report, the building was protected with an electronic alarm from a bonded alarm security company. Authorized staff needed a key and a unique code.
Because the building wasn’t connected to the provincial network, some data had to be transferred to any of the 17 laptops in the building by staff on data sticks. “It was a unique situation,” Essensa said. Elections Ontario rules specified the drives had to be encrypted, password protected and locked up.
Staff worked in the building on April 23, then told not to report the next day becasue mold had been founnd. On April 25 some staff were back in the building and discovered the USB drives were in the open. "Following the use of these USB drives," the report says "the staff left them unsecured in the facility." They were reported missing April 27.
After conducting what Essensa called a “rigorous” internal search and investigation, on May 24 Essensa hired a private law firm and a forensics security firm to take it further. On their recommendation the Ontario Provincial Police was notified on June 13.
Essensa said he didn’t alert the public before because the size of the loss hadn’t been determined.
Two civil servants who had responsibility for the drives “are no longer with Elections Ontario,” he said. Once the investigations are finished other actions may be taken, he added.
“I take this matter extremely seriously,” Essensa told reporters, “and I want to sincerely apologize to all Ontarians for any concern this notification may cause.”
In addition to the forensic and police investigation, Essensa has ordered an immediate and comprehensive review by external bodies of Election Ontario security policies as well as its technology.
The bumbling wasn’t restricted to the loss of the drives. The investigation by Inkster Inc. – a forensic investigation firm headed by former RCMP Commissioner Norman Inkster – found that the Elections Ontario staff working at the leased building plainly ignored security policies that were explained to them.
--There was encryption software on the USB drives, but no one used it;
--After copying the data from the USB drives to their laptops, staff were using the USB drives to back up data;
--Staff had been told to use Windows’ password and compression software for files on their laptops, but they weren’t regularly doing it;
--Staff might have had the same basic default passwords on their laptops used at the leased facility. They were prompted to change the passwords when work started, but that wasn’t enforced by the operating system;
--“While transfer and back-up procedures were apparently repeatedly reviewed with the staff,” the Inkster report said, “there were no written instructions provided specifying deletion of the data on a USB drive.”
--Staff were verbally told to secure the drives when they weren’t being used – to no avail.
“It’s definitely a corporate culture problem,” says Jessica Ireland, a security analyst with Info-Tech Research, a story that isn’t uncommon.
“They had the right policies on paper, but I don’t think paper policies can push people to stick with them.”
A data leakage prevention policy should be considered, she said, as well as regular compliance audits to ensure staff are following data security rules. If necessary, the audits can be conducted quarterly.
Essensa said Cavoukian’s office will conduct its own investigation and advice on policy.
Cavoukian, who said she’s “been trying to drum this [security] into users” for some time, noted that “personal information is the currency of Elections Ontario … You have to guard this with your life.”