As Cybersecurity Awareness Month draws to a close, a data breach in Yukon is a reminder there’s a long way to go to make sure employees are cyber-aware in everything they do.
A Whitehorse man who bought a USB stick at a pawn shop plugged it into a computer and found the drive contained confidential case files from the Health and Social Services department of the territory’s government.
The data include confidential case files from the family and children’s services branch, including case assessments, reports, budgets, and personal contact information.
This week, Health Minister Tracy-Anne McPhee said the files were removed from the Health and Social Services system by a former employee, who had “abandoned” their belongings in a storage unit, the contents of which ended up being sold to a local pawn shop. She said the former employee was not authorized to take the information. Between 30 and 60 people were affected, she said.
It’s not uncommon for employees to copy sensitive corporate data to a removable drive, Theo Zafirakos, CISO of Terranova Security, a Laval, Que.-based security awareness training firm, said in an interview. Often employees do it so they can work from home or remotely. “For it to be lost and found by somebody else, it happens, but we don’t hear about it as often,” he said, “perhaps because it may not be announced publicly.”
One of the most infamous incidents, he added, happened in the U.K. in 2017 when a USB stick found on a London street held security details for Heathrow International Airport— including security measures and travel details for Queen Elizabeth.
“We tend to blame technology,” Zafirakos said, “but it’s not technology, but how we use it that is often the trouble.” Staff must be told they can’t copy data onto removable drives, or if they have to, then the data must be encrypted or password-protected.
Some IT departments block the ports of desktop computers with hardware or software so USB devices can’t be plugged in. However, Zafirakos noted staff can get around that by emailing files to a personal email account.
Another solution is the implementation of data loss prevention software, which inventories sensitive data and then detects how it is being used, including if it is being emailed or copied.
It isn’t clear when the data was copied to the USB stick. According to a news report, the Health ministry made changes to its case management system that were fully implemented last November.
“If anybody wants to access that [information], they must access through a secure portal with a password and an identifier,” a department spokesperson told the CBC. Information cannot be seen or removed from those systems without going through that process.
“It could happen to anyone,” Zafirakos said. “It doesn’t mean one organization is less secure than another just because it happened to them. They were lucky … that the data did not fall into the wrong hands.”