A Human Resources and Skills Development Canada (HRSDC) department have publically announced that a portable hard drive which contained confidential data belonging to 583,000 Canadian Student Loans Program borrowers was discovered to be missing on the 5th November 2012. The department only found out that the hard drive was missing during an investigation into another data breach that has put personal information belonging to more than 5,000 Canadians at risk.
The portable hard drive contained information which belonged to 583,000 Canadian Student Loans Program borrowers from 2000 to 2006. The files contained information relating to student names, social security numbers, dates of birth and their loan balances. Contact information for 250 employees was also on the hard drive.
Minister of Human Resources and Skill Development Canada, Diane Finley, has expressed her disappointment with the incident and claims that it could have been avoided.
Finley stated, “I want all Canadians to know that I have expressed my disappointment to departmental officials at this unacceptable and avoidable incident in handling Canadians’ personal information.”
The drive was being used for a backup of this data but surely questions will be asked why a more secure and reliable data backup method isn’t in place. The most alarming part of this incident is that the data was being transported in an unencrypted state despite the department having a policy in place that states all such devices should be encrypted. This incident shows that even with policies in place, if members of staff do not fully understand the importance of abiding to them or are not aware of them it is much more likely that incidents such as this one are going to occur. More often than not the importance of training staff in data security has been overlooked and therefore policies have not been abided to.
Finley also commented on what action has been taken and what they are planning to do to ensure that a similar data loss incident does not occur again.
Finley claimed, “I have requested that HRSDC employees across Canada receive comprehensive communications on the seriousness of these recent incidents and that they participate in mandatory training on a new security policy to ensure that similar situations do not occur again. Further, I have instructed that the new policy contain disciplinary measures that will be implemented for staff, up to and including termination, should the strict codes of privacy and security not be followed.”
Ensuring that you have a secure and robust backup solution in place is vital to ensure data backed up to portable disk is protected by encryption and other technologies. Ideally, you will have an onsite copy and an offsite copy. Taking a backup to a portable hard drive alone leaves you in a much more vulnerable situation than by utilising other backup solutions. It is easier for a portable hard drive to go missing such as in this case or become damaged in the event of flood, fire, natural hazard or during transportation. In the event of a disaster, you could suddenly find out that you cannot recover your data from the portable hard drive because it has become damaged or has been lost. If such an event occurred, this could have very damaging consequences on the running of your company and the company’s reputation.