An Ontario government department has learned the hard way about the need to secure a Web site. The Education ministry has acknowledged that 5,000 unencrypted email addresses of people who had left contact information on a site were recently exposed.
The ministry realized on March 5 there had been a loss of email addresses left by people who went to a site for information on workshops, Nilani Logeswaran, press secretary to Education minister Liz Sandal, confirmed in an interview this morning that. No other personal information was accessed.
The stolen email addresses were then publicly exposed on another Web site, which has since been taken down.
The Ontario Provincial Police and the provincial privacy commissioner are investigating.
As a result of discovering the breach the Education ministry Web site was immediately taken down. As a precaution the Ministry of Training, Colleges and Universities’ Web site was also taken offline. Both are now back online, Logeswaran said.
She couldn’t give details on how the breach was discovered, nor how the attacker got hold of the data other than to say it was by “unauthorized access.”
Logeswaran said the ministry has contacted the people affected in a written letter. “Although the risk is minimal,” the letter says in part, “we ask that you remain vigilant for any emails requesting personal information. The Ministry will never send an email requesting you to provide any personal information.”
Ontario has had a few data breach problems, some due to clumsiness. In 2012 temporary workers for Elections Ontario lost USB sticks with personal information of up to 4 million voters.
According to the Gemalto breach database of publicly-reported intrusions last year, the provincial ministry of natural resources suffered a loss of 15,000 records.