UPDATE: Privacy commissioner says UVic breached privacy act by not protecting employee information

B.C.'s information and privacy commissioner releases report on data breach at UVic that saw personal info for 12,000 employees stolen

Given that such sensitive information – the names, social insurance numbers and banking details – for 11,841 University of Victoria employees was stored on a device so susceptible to loss or theft, B.C.’s privacy commissioner says there is “no rationale” that the information wasn’t digitally secure.

Elizabeth Denham, the province’s Information and Privacy Commissioner, released her report Thursday on an investigation into a major data and electronics theft at UVic on Jan. 8 of this year. She says the university breached the Freedom of Information and Protection of Privacy Act when it failed to protect its employees’ personal information.

“While the University has established privacy and security policies in recent years, the institution failed to implement reasonable safeguards to protect data stored on the USB drive. Such safeguards are a legal requirement…,” read a press release from the OIPC.

Thieves targeted the payroll department in the non-alarmed Administrative Services Building, and stole a number of electronics. Among them was an unencrypted USB flash drive containing the personal information of anyone on UVic’s payroll since 2010.

“Limiting the amount of data stored on a mobile device or in other information systems reduces the negative effect of a privacy breach. The device contained the information of a large number of past employees,” Denham wrote in her report. “Given the amount and sensitive nature of personal information contained on the University mobile storage device, coupled with the ease of encrypting the information, there is simply no rationale for failing to encrypt this information.”

To the university’s credit, Denham said, the flash drive was stored in a locked and hidden safe.

“(The) device was stored in the safe, because staff recognized the risk associated with the sensitive data,” she wrote. ” Of course, in the actual event, what was perceived to be a very secure location was not, because the safe was not properly fixed in place. The anchors were not appropriate to prevent the safe being dislodged, and the thieves were able to remove it.”

A Saanich police investigation into the theft is still ongoing.

The majority of the electronics that were stolen were recovered in late January, but the flash drive in question is still outstanding. They were found destroyed in a garbage bag in a Canada Post drop box atop Bear Mountain.

Affixed to the bag was a dubious apology note: “The information on these devices was not copied, distributed, or exploited. We want to part of everyday people living in fear that their personal information is being used against them to take they’re (sic) hard earned money,” the letter read. But police aren’t buying it.

“We think this is a ruse by someone who wants to allay the public’s fears. But what they may have done is transferred the data, they’ll sit on it, and then go ahead and start defrauding people in a couple of months,” said Sgt. Dean Jantzen.

Jantzen says four current and former UVic employees came forward following the data breach claiming to have had money stolen from their bank accounts, but police have determined three of them to be unrelated. Police cannot confirm if the one outstanding fraud happened as a result of the data theft, or if it, too, is unrelated.

“it is clear that the type of personal information stored on the mobile storage device is valuable to criminal organizations. In addition to using it for identity theft, criminals can also exploit personal information to impersonate another individual, obtain medical treatment or use the basic information to create a fictitious identity,” Denham wrote in her report.

She said had the university invested in relatively inexpensive of data security measures, namely encryption software, the data would’ve been protected.

The flash drive was intended to be a back-up for the payroll department, in the case of an emergency where that information, which is typically stored on a secure server, was inaccessible.

“University staff made it clear that senior staff in Financial Services had considered using encryption on the storage device and in fact had received advice from others that encryption should be used. … However, although there appears to have been an intention to encrypt the data, it was not carried out,” Denham wrote.

The privacy commissioner made five recommendations as a result of the investigation:

• The University of Victoria should formally review their privacy and security policies at a minimum of every three years;

• The University should re-assess the physical security of the Financial Services area to determine whether it is necessary to alarm the entire building, and to assess other buildings on campus where personal information is stored;

• The University should develop a comprehensive policy, procedure, training and technical solution to ensure that personal information stored on laptops and other mobile security devices is protected as required by the Freedom of Information and Protection of Privacy Act. This policy and training program should include issues of data limitation, encryption, appropriate password maintenance, physical security, wireless security and proper disposal;

• The University should develop a policy that requires the privacy manager to conduct risk assessments of personal information data banks on an annual basis and report to the University President on the result of these assessments;

• The University should provide a copy of the report of the external consultant to my office for review and comment prior to its finalization.

UVic president David Turpin responded in a press release.

“We appreciate the commissioner’s thorough and thoughtful report and recognize that it identifies areas in which the university can improve the protection of personal information,” he said.

UVic earlier this year also commissioned an external privacy review, expected to be released later this spring. Former privacy commissioner David Flaherty is conducting that one.

Turpin says the university has already taken steps toward improving security on campus, including alarming part of the Administrative Services Building, mandating encryption standards for all the university’s electronic devices, and reviewing the policies and procedures surrounding personal information.

kslavin@saanichnews.com

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Victoria mayor wants newspaper boxes removed from downtown streets

Mayor Lisa Helps says the boxes are not needed, often filled with garbage

Esquimalt artists take to great outdoors amid coronavirus

Group invites budding, or just willing artists, to join at Saxe Point

Victoria church to ring bells for 75th anniversary of atomic bombings

Bells expected at 8:15 a.m. on Aug. 6 and 11:50 a.m. on Aug. 9

VicPD find used, uncapped needle tied to handrail in Beacon Hill Park

Officers believe the needle was put there with the intent to harm someone

PHOTOS: Kids, parents cool off at Langford splash park

Centennial Park is home to a popular water feature

VIDEO: Otter pups learn to swim at B.C. wildlife rescue facility

Watch Critter Care’s Nathan Wagstaffe help seven young otters go for their first dip

Michael Buble among 13 British Columbians to receive Order of B.C.

Ceremony will be delayed to 2021 due to COVID-19

U.S. border communities feel loss of Canadian tourists, shoppers and friends

Restrictions on non-essential travel across the Canada-U.S. border have been in place since March 2`

Rollout of COVID-19 Alert app faces criticism over accessibility

App requires users to have Apple or Android phones made in the last five years, and a relatively new operating system

Alleged impaired driver sparks small wildfire near Lytton after crash: B.C. RCMP

Good Samaritans prevented the blaze from getting out of control

B.C. First Nation adopts ‘digital twinning’ software to better manage territory

Software allows users to visualize what a mountain might look like if the trees on its slopes were logged

Woman arrested near Nanaimo beach after alleged road rage incidents

37-year-old woman facing charges including assault, assaulting a police officer, impaired driving

All inquiry recommendations implemented after fatal Port Hardy RCMP shooting: Ministry

The Independent Investigations Office of B.C. cleared the RCMP officers involved of wrongdoing

Most Read