The federal government suffered a record-high 256 data breaches during the 12 month period ending March 31, the privacy commissioner reported today.
That was up from 228 breaches reported in the same period the year before—which itself was double the number reported a year earlier, commissioner Daniel Therrien said in his annual report to parliament. “As in previous years, the leading cause of breaches was accidental disclosure, a risk which can often be mitigated by more rigorous procedures,” the report said.
Last year marked the first time institutions were required to report data breaches to the privacy commissioner. Until then, reporting was voluntary.
“Many institutions have made some strides to better protect personal information,” Therrien said. “That being said, the breach reports we’ve received, the results of our investigations and our latest audit all suggest there is still much room for improvement.”
“Effectively protecting personal information is a challenge we do not want to minimize,” says Commissioner Therrien. “However, given that Canadians are required to provide very sensitive information to federal departments and agencies, the government’s duty of care is paramount.”
Breaches — not all of which were cyber-related — included:
–A technical glitch allowed American authorities when accessing a case management system at Citizenship and Immigration Canada saw files that five people had been refused visas to visit this country. The glitch was the system had created duplicate files when a person’s immigration status changed — and in these cases the five people had later been given Permanent Resident status in Canada. The refusal file shouldn’t have been disclosed. The flaw was supposed to have been fixed;
–Personal information of more than 1,000 individuals and businesses accidentally delivered to a CBC reporter, who did a story on the event. The information was intended to go to the Administrative Tribunals Support Service of Canada (ATSSC), but got shipped to the CBC due to a mix-up of package cover letters;
–The highly-covered theft of data from Canada Revenue Agency in 2014 by a person who leveraged the Heartbleed vulnerability tp steal 900 social insurance numbers. Stephen Arthuro Solis-Reyes has been charged;
–During the reporting period the CRA realized that in 2012 and 2013 two of its employees improperly accessed almost 340 tax accounts. Staff were disciplined in an unspecified way, according to the report. CRA is strengthening its audit trail process.
The report includes an audit that found gaps in the federal government’s management of portable storage devices, such as memory sticks, are potentially putting the personal information of Canadians at risk. While Ottawa has policies, processes and controls related to portable storage devices, there is significant room for improvement in order to reduce the risk of privacy breaches, the report says.
The audit, which included a detailed examination of 17 institutions, identified a number of concerns, including:
- More than two-thirds (70 per cent) of the institutions had not formally assessed the risks surrounding the use of all types of portable storage devices.
- More than 90 per cent did not track all portable storage devices throughout their lifecycle.
- More than 85 per cent did not retain records verifying the secure destruction of data retained on surplus or defective portable storage devices.
- One-quarter did not enforce the use of encrypted USB storage devices.
- Two-thirds did not have technical controls in place to prevent the connection of unauthorized portable storage devices (for example, privately owned device) on their networks, and more than half (55 per cent) had not assessed the risk to personal information resulting from the absence of such controls.
There were also weaknesses in the security settings to protect data held on smart phones at some of the audited entities. These included, for example, a lack of encryption, strong password controls, or controls to prevent users from installing unauthorized applications.
The audited institutions have accepted all recommendations made in the audit, the commissioners office said.