UVic employee data theft preventable, says second external audit

Former privacy commissioner gives university 29 recommendations to boost security measures, employee training

A detailed privacy review, commissioned by the University of Victoria after confidential employee information was stolen in January, says the major data breach was a preventable incident.

The report, written by the province’s former Information and Privacy Commissioner David Flaherty, lists 29 recommendations to prevent similar incidents in the future.

“This major data breach should not have happened if the established data loss prevention and protection measures had been followed. In my view, the university was prepared to prevent such an occurrence,” Flaherty wrote in his report, released Friday.

On January 7 or 8, thieves targeted the payroll department in the non-alarmed Administrative Services Building, and stole a number of electronics. Among them was an unencrypted USB flash drive.

That flash drive held the names, banking information and social insurance numbers of all 11,841 employees on UVic’s payroll since 2010.

Given the volume of sensitive information on the device, “(the) protections in place for the flash drive were not ‘reasonable’ in the circumstances,” Flaherty wrote. The device was stored in a locked room, in a locked safe, in a locked cabinet.

Flaherty’s report came two months after the province’s current Information and Privacy Commissioner released similar investigative findings.

Elizabeth Denham said there is “no rationale” that the information wasn’t digitally secure, and that the university breached the Freedom of Information and Protection of Privacy Act when it failed to protect its employees’ personal information.

Flaherty’s report, covers a wide scope of recommendations, from administrative duty priorities to auditing security measures.

Among Flaherty’s recommendations is mandatory annual privacy and security training for all university non-academic staff who handle personal information.

“Existing … materials demonstrate that plenty of university training has been prepared, but evidently it was not targeted well enough, or repeated often enough, to prevent inadequate security practices that resulted in a data theft and a major breach,” he wrote.

He also recommended that the university continually invest in hardware and software to protect data that requires security. And back-up data should be stored off site.

“The stolen USB flash drive should not have been stored on campus in the first place, since its main purpose was business continuity … in the event of a natural disaster or other disruption, including flooding of buildings and labour strife,” Flaherty wrote.

Additionally, he recommended the university stop storing social insurance numbers.

“Data minimization has to become more than a buzzword at the university. … The stolen USB flash drive did not have to include social insurance numbers, because other means of unique identification were in place,” Flaherty wrote. “Payroll put the numbers on the flash drive for purposes of convenience in the event of a crisis. The unwise thought was that the employed would remember their SIN but not their (work ID) number.”

An attached internal assessment, conducted by UVic professor Jamie Cassels, reads that the university responded well to the data breach.

The activities and planning processes underway do demonstrate that steps are being taken to identify and catalogue storage systems containing personal information, and to assess and improve the protection of that information.

“They show that the university has plans for reviewing information security, physical security, privacy and records management policies on an ongoing basis,” Cassels wrote. “The various activities and initiatives, planned and ongoing, all seem appropriate, effective and sufficient.”

A press release from UVic says they are “considering how best to implement (Flaherty’s) recommendations,” and added that they have already taken some preventative steps.

A Saanich police investigation into the theft is still ongoing.

The majority of the electronics that were stolen were recovered in late January, but the flash drive in question is still outstanding. They were found destroyed in a garbage bag in a Canada Post drop box atop Bear Mountain in Langford.

Affixed to the bag was a dubious apology note: “The information on these devices was not copied, distributed, or exploited. We want to part of everyday people living in fear that their personal information is being used against them to take they’re (sic) hard earned money,” the letter read. But police aren’t buying it.

“We think this is a ruse by someone who wants to allay the public’s fears. But what they may have done is transferred the data, they’ll sit on it, and then go ahead and start defrauding people in a couple of months,” said Sgt. Dean Jantzen said in January.

Police say four current and former UVic employees claimed to have money stolen from their bank accounts following the data breach, but investigators have since determined three incidents to be unrelated. The fourth cannot be confirmed or discredited as being related to the data theft.

To read Flaherty’s full report, and see a list of all 29 recommendations, visit uvic.ca/infobreach.

kslavin@saanichnews.com

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

The Berwick Retirement Communities’ 2021 Spin-A-Thon event on Feb. 23 raised more than $7,100 for the Heart and Stroke Foundation. (Travis Paterson/News Staff)
Berwick Spin-A-Thon raises more than $7,000 for Heart and Stroke Foundation

Two centenarians among participants in second annual all-day pedal event

Victoria Police Department vehicle outside the headquarters building. VicPD (Black Press Media file photo)
Man arrested after Victoria restaurant worker punched, thrown to the ground

Police say woman was found lying on the sidewalk with non-life threatening injuries

This was the scene outside North Saanich’s Parkland Secondary School after an attempted but unsuccessful break-and-enter into the school torched an ATM inside of it. Sidney/North Saanich RCMP did not make any arrests and currently lack suspects as the investigation continues. Members of the public who may have witnessed something or possess other information can contact police at (250) 656-3931 or to Crimestoppers at 1-800-222-TIPS. (Submitted)
ATM at North Saanich high school torched during early morning break-and-enter

Police dogs searched the exterior and interior of the school

Victoria police are investigating after several vehicles were smashed and a basement was flooded along lower Cook Street March 2. (Black Press Media file photo)
Victoria police investigating smashed vehicles, flooded basement on Cook Street

Police seeking witnesses, footage of several ‘mischief’ incidents

Victoria Police Department vehicles outside the headquarters building. (Black Press Media file photo)
Victoria police investigating sudden death in Beacon Hill Park

Police, paramedics responded to a report of an unresponsive person early Wednesday

Anyone with information on any of these individuals is asked to call 1-800-222-TIPS (8477) or visit the website victoriacrimestoppers.ca for more information.
Greater Victoria Crime Stoppers wanted list for the week of March 2

Greater Victoria Crime Stoppers is seeking the public’s help in locating the… Continue reading

(Black Press Media file photo)
POLL: How’s your butter?

Recent reports have some Canadians giving a second look to one of… Continue reading

A sample of guns seized at the Pacific Highway border crossing from the U.S. into B.C. in 2014. Guns smuggled from the U.S. are used in criminal activity, often associated with drug gangs. (Canada Border Service Agency)
B.C. moves to seize vehicles transporting illegal firearms

Bill bans sale of imitation or BB guns to young people

The City of Duncan will implement a new pilot project targeting vandalism this spring. (File photo)
Graffiti trouble? Duncan will give you the brush and the paint to remove it

Intiative based on a successful project to protect Port Alberni from unwanted spray paint

BC Housing minister David Eby is concerned that Penticton council’s decision to close a local homeless shelter will result in a “tent city” similar to this one in Everett, Wa. (Olivia Vanni / Black Press file)
‘Disappointed and baffled’ B.C. housing minister warns of tent city in Penticton

Penticton council’s decision to close a local homeless shelter could create tent city, says David Eby

The first of Fisheries and Oceans Canada’s long-range maritime patrol aircraft—the Dash-8—becomes operational. (Photo supplied by PAL Aerospace)
Fisheries and Oceans Canada’s new De Havilland Dash-8-100 long-range surveillance air craft is capable of staying aloft for eight to 10 hours for a variety of missions up and down the B.C. coast. (Photo supplied by PAL Aerospace)
New plane will double DFO’s surveillance capacity in B.C.

The Dash-8 will fly out of Campbell River for enforecment, conservation missions

A recently published study out of UBC has found a link between life satisfaction levels and overall health. (Pixabay)
Satisfied with life? It’s likely you’re healthier for it: UBC study

UBC psychologists have found those more satisfied with their life have a 26% reduced risk of dying

A vial of some of the first 500,000 of the two million AstraZeneca COVID-19 vaccine doses that Canada has secured through a deal with the Serum Institute of India in partnership with Verity Pharma at a facility in Milton, Ont., on Wednesday, March 3, 2021. THE CANADIAN PRESS/Carlos Osorio - POOL
Federal panel recommends 4-month gap between COVID vaccine doses due to limited supply

The recommendation applies to all COVID-19 vaccines currently approved in Canada

Most Read