Thursday, July 18, 2013

"Prime Minister's Office urgently requires professional dumpster divers no experience necessary ..... $15,000 plus all you can eat. Apply within!"

Bureaucrats, federal departments considered dumster divers to retrieve lost data emails show

By Jordan Press, Postmedia News
Thursday, July 18, 2013
Recent high-profile data breaches at Human Resources and Skills Development Canada have put the federal government's handling of personal information under the microscope. (Photogrph by: Aaron Lynett/Postmedia File, Postmedia News)

OTTAWA — Senior bureaucrats in two federal departments considered paying $15,000 for professional dumpster divers as part of efforts to find a missing USB key containing sensitive, personal information of more than 5,000 Canadians.

Managers in Human Resources and Skills Development Canada also considered “burning” the garbage — hoping to destroy the USB key if it was inside — to avoid repercussions over the data loss, according to emails released to Postmedia News under the access to information law.

“Bryan is looking (at) burning the garbage so if USB key is there this will protect the department (from) impact or ‘repercussion,’” reads a Nov. 23 email from Jeanne Dufour, a corporate security manager at Service Canada.

Both ideas were eventually scrapped. Hiring trash sorters cost too much, officials concluded, and there was no “incineration capacity” in Ottawa, the emails say.

Those emails also suggest investigators felt there was evidence of “malicious intent” in the loss, but department officials told Postmedia News the note in a security officer’s email was a typo and no wrongdoing was suspected.

The USB key was last seen around 6:20 p.m. on November 15. According to a department security report, the lawyer who last had the device told investigators she last remembered leaving it on her desk. She locked the door to her office and it remained locked until she returned to work around 8:40 a.m. on November 16. When she arrived for work, the USB key was missing.

She did not recall taking the USB stick from the office, the security report says. To be sure, her home and a taxi she rode in were searched, but the device wasn’t found.

The department sent a garbage bin large enough to hold a small car off to an RCMP compound in Ottawa thinking that the device may have been inadvertently tossed in the trash. About 10 days later, the department gave up on hiring trash sorters after five companies and the City of Ottawa refused the job claiming health and safety issues because of how long the garbage, which included rotting food, had been left outside.

The bin was eventually given back to the building management company, and the trash sent to landfill.

Sitting on the device was the personal information of 5,049 disability pension applicants who were appealing the department’s decision about their claims.

Department policy required employees to encrypt sensitive information stored on portable data devices, which wasn't followed in this case.

A security report dated Nov. 19 notes that investigators couldn’t say whether someone accessed the office using a spare key the lawyer kept in her desk.

Only three people, including the lawyer, had keys to the office.

That report also considered the financial effects of the data breach on individuals as medium, “unless the information got into the wrong hands.”

The department has said it has no evidence that the information has been used for fraudulent purposes and has declined to say what has happened to the employees involved. The privacy commissioner’s office had no updates Thursday on its investigation into the matter more than seven months after the loss came to light.

Security officer David Zorzo noted in a November 20 email to senior security officials in the department that ”there is evidence to support and malicious intent or wrongdoing (Mens Rea vs. Actus Reus) regarding this incident.” The department said the message had a typo, with a spokesman writing in an email that, “the sentence should have read ‘there is NO evidence to support any malicious intent or wrongdoing.”

  USB key loss at HRSDC


0 Comments:

Post a Comment

<< Home