Human Resources and Skills Development Canada (HRSDC) announced on January 11th that it had lost an unencrypted hard drive containing the personal information of 583,000 people who had a Canada Student Loan between 2000 and 2006. The hard drive also contained the personal contact information of 250 HRSDC employees.
The hard drive was lost in November, but the department waited two months before announcing that the files, which include student names, social insurance numbers, dates of birth and contact information, had gone missing. The breach has resulted in a myriad of repercussions.
Three different class action suits commenced by three different law firms across the country are now being joined in a consortium for a national class action suit against the Attorney General of Canada.
Meanwhile, in a January 25th release, HRSDC said it made arrangements with Equifax to “provide affected Canada Student Loans Program clients with credit and identity protection services for a period of up to six years at no cost.” The most basic product on the Equifax website is described as ‘credit monitoring and identity theft protection’ at $14.95 per month, which would cost the government more than $600 million. Many potential victims, as well as news media outlets, believed this to be the service the government was offering to provide. However, the government has since clarified in an email to Global News that it has purchased a credit protection “known as a credit flag” which it says will “provide a quality and standard fraud protection for individuals affected” and not the basic product listed on the Equifax website. The government did not disclose the cost of the protection being offered. As a result, many of those affected are confused and angered by the lack of clarity.
Now, to add to the privacy blunders, when HRSDC attempted to notify individuals of the breach, it appears that when some recipients opened their breach notification letters, they were addressed to the wrong people. Although now fully resolved, less than a hundred people may have received a double-stuffed letter as the result of a printer error.
Justifiably, there has been growing dissatisfaction with the government’s response to the HRSDC breach. Canadian IT security professionals have been complaining for years that the government is seriously out of step with what needs to be in place to protect citizen data in the 21st century. Concerns include lack of training and mandatory encryption solutions, patch-work systems and older technology, as well as too much reliance on policy as opposed to better security solutions.
We don’t know whether the missing HRSDC data could be used to create phony profiles, apply for passports, or engage in other identity theft crimes, or whether nothing may happen –the portable device might have landed in the trash somewhere, never to be seen again. What is clear is that the dire consequences of a security breach are numerous and multi-faceted. It’s time Canada’s public sector took the problem more seriously.