UVic employee data theft preventable, says second external audit

Former privacy commissioner gives university 29 recommendations to boost security measures, employee training

A detailed privacy review, commissioned by the University of Victoria after confidential employee information was stolen in January, says the major data breach was a preventable incident.

The report, written by the province’s former Information and Privacy Commissioner David Flaherty, lists 29 recommendations to prevent similar incidents in the future.

“This major data breach should not have happened if the established data loss prevention and protection measures had been followed. In my view, the university was prepared to prevent such an occurrence,” Flaherty wrote in his report, released Friday.

On January 7 or 8, thieves targeted the payroll department in the non-alarmed Administrative Services Building, and stole a number of electronics. Among them was an unencrypted USB flash drive.

That flash drive held the names, banking information and social insurance numbers of all 11,841 employees on UVic’s payroll since 2010.

Given the volume of sensitive information on the device, “(the) protections in place for the flash drive were not ‘reasonable’ in the circumstances,” Flaherty wrote. The device was stored in a locked room, in a locked safe, in a locked cabinet.

Flaherty’s report came two months after the province’s current Information and Privacy Commissioner released similar investigative findings.

Elizabeth Denham said there is “no rationale” that the information wasn’t digitally secure, and that the university breached the Freedom of Information and Protection of Privacy Act when it failed to protect its employees’ personal information.

Flaherty’s report, covers a wide scope of recommendations, from administrative duty priorities to auditing security measures.

Among Flaherty’s recommendations is mandatory annual privacy and security training for all university non-academic staff who handle personal information.

“Existing … materials demonstrate that plenty of university training has been prepared, but evidently it was not targeted well enough, or repeated often enough, to prevent inadequate security practices that resulted in a data theft and a major breach,” he wrote.

He also recommended that the university continually invest in hardware and software to protect data that requires security. And back-up data should be stored off site.

“The stolen USB flash drive should not have been stored on campus in the first place, since its main purpose was business continuity … in the event of a natural disaster or other disruption, including flooding of buildings and labour strife,” Flaherty wrote.

Additionally, he recommended the university stop storing social insurance numbers.

“Data minimization has to become more than a buzzword at the university. … The stolen USB flash drive did not have to include social insurance numbers, because other means of unique identification were in place,” Flaherty wrote. “Payroll put the numbers on the flash drive for purposes of convenience in the event of a crisis. The unwise thought was that the employed would remember their SIN but not their (work ID) number.”

An attached internal assessment, conducted by UVic professor Jamie Cassels, reads that the university responded well to the data breach.

The activities and planning processes underway do demonstrate that steps are being taken to identify and catalogue storage systems containing personal information, and to assess and improve the protection of that information.

“They show that the university has plans for reviewing information security, physical security, privacy and records management policies on an ongoing basis,” Cassels wrote. “The various activities and initiatives, planned and ongoing, all seem appropriate, effective and sufficient.”

A press release from UVic says they are “considering how best to implement (Flaherty’s) recommendations,” and added that they have already taken some preventative steps.

A Saanich police investigation into the theft is still ongoing.

The majority of the electronics that were stolen were recovered in late January, but the flash drive in question is still outstanding. They were found destroyed in a garbage bag in a Canada Post drop box atop Bear Mountain in Langford.

Affixed to the bag was a dubious apology note: “The information on these devices was not copied, distributed, or exploited. We want to part of everyday people living in fear that their personal information is being used against them to take they’re (sic) hard earned money,” the letter read. But police aren’t buying it.

“We think this is a ruse by someone who wants to allay the public’s fears. But what they may have done is transferred the data, they’ll sit on it, and then go ahead and start defrauding people in a couple of months,” said Sgt. Dean Jantzen said in January.

Police say four current and former UVic employees claimed to have money stolen from their bank accounts following the data breach, but investigators have since determined three incidents to be unrelated. The fourth cannot be confirmed or discredited as being related to the data theft.

To read Flaherty’s full report, and see a list of all 29 recommendations, visit uvic.ca/infobreach.

kslavin@saanichnews.com

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

PHOTOS: BC Children’s lottery offers luxury downtown Victoria home as a prize

The Choices Lotto has luxury homes across the province

Island teen climber seizes last opportunity to qualify in 2020 Olympic games

Brennan Doyle, 16, heads to L.A. for Pan American Climbing Championships

University of Victoria profs take home prestigious national teaching award

Brent Mainprize and Edōsdi–Judy Thompson recognized as a 2020 3M National Teaching Fellows

Victoria modular housing complex built to house homeless Indigenous women

Spa’Qun, or ‘Flower House’ will provide shelter and cultural support

Loans or gifts? Judge rules woman must pay Victoria man back $7K

B.C. judge rules that woman must pay back more than $7,000 in advanced funds to man

VIDEO: Alleged shoplifter caught on camera at Sidney boutique

Staff at Cameron Rose Gifts seek the public’s help locating woman

Cheapest in B.C.: Penticton gas prices dip below $1 per litre

Two stores in Penticton have gas below a dollar.

VIDEO: Outpouring of worldwide support for bullied Australian boy

Australian actor Hugh Jackman said ‘you are stronger than you know, mate’

‘A horror show:’ Ex-employee shares experience at problematic Chilliwack seniors’ home

Workers are paid below industry standard at all Retirement Concepts facilities

Forest industry protests northern B.C. caribou protection deal

B.C. Mining Association supports federal-Indigenous plan

Youth-led report calls on B.C. government to create plan to end youth homelessness

There are no dedicated programs for youth homelessness at federal, provincial level, report says

UPDATE: Lockdown lifted at Nanaimo high school following threats

Nearby elementary school was in hold-and-secure

Trudeau: Time for blockades to end and Indigenous leaders to work with government

Prime minister says situation in Coastal GasLink pipeline dispute is ‘unacceptable and untenable’

Greater Victoria Crime Stoppers wanted list for the week of Feb. 18

Greater Victoria Crime Stoppers is seeking the public’s help in locating the… Continue reading

Most Read