UPDATE: Privacy commissioner says UVic breached privacy act by not protecting employee information

B.C.'s information and privacy commissioner releases report on data breach at UVic that saw personal info for 12,000 employees stolen

Given that such sensitive information – the names, social insurance numbers and banking details – for 11,841 University of Victoria employees was stored on a device so susceptible to loss or theft, B.C.’s privacy commissioner says there is “no rationale” that the information wasn’t digitally secure.

Elizabeth Denham, the province’s Information and Privacy Commissioner, released her report Thursday on an investigation into a major data and electronics theft at UVic on Jan. 8 of this year. She says the university breached the Freedom of Information and Protection of Privacy Act when it failed to protect its employees’ personal information.

“While the University has established privacy and security policies in recent years, the institution failed to implement reasonable safeguards to protect data stored on the USB drive. Such safeguards are a legal requirement…,” read a press release from the OIPC.

Thieves targeted the payroll department in the non-alarmed Administrative Services Building, and stole a number of electronics. Among them was an unencrypted USB flash drive containing the personal information of anyone on UVic’s payroll since 2010.

“Limiting the amount of data stored on a mobile device or in other information systems reduces the negative effect of a privacy breach. The device contained the information of a large number of past employees,” Denham wrote in her report. “Given the amount and sensitive nature of personal information contained on the University mobile storage device, coupled with the ease of encrypting the information, there is simply no rationale for failing to encrypt this information.”

To the university’s credit, Denham said, the flash drive was stored in a locked and hidden safe.

“(The) device was stored in the safe, because staff recognized the risk associated with the sensitive data,” she wrote. ” Of course, in the actual event, what was perceived to be a very secure location was not, because the safe was not properly fixed in place. The anchors were not appropriate to prevent the safe being dislodged, and the thieves were able to remove it.”

A Saanich police investigation into the theft is still ongoing.

The majority of the electronics that were stolen were recovered in late January, but the flash drive in question is still outstanding. They were found destroyed in a garbage bag in a Canada Post drop box atop Bear Mountain.

Affixed to the bag was a dubious apology note: “The information on these devices was not copied, distributed, or exploited. We want to part of everyday people living in fear that their personal information is being used against them to take they’re (sic) hard earned money,” the letter read. But police aren’t buying it.

“We think this is a ruse by someone who wants to allay the public’s fears. But what they may have done is transferred the data, they’ll sit on it, and then go ahead and start defrauding people in a couple of months,” said Sgt. Dean Jantzen.

Jantzen says four current and former UVic employees came forward following the data breach claiming to have had money stolen from their bank accounts, but police have determined three of them to be unrelated. Police cannot confirm if the one outstanding fraud happened as a result of the data theft, or if it, too, is unrelated.

“it is clear that the type of personal information stored on the mobile storage device is valuable to criminal organizations. In addition to using it for identity theft, criminals can also exploit personal information to impersonate another individual, obtain medical treatment or use the basic information to create a fictitious identity,” Denham wrote in her report.

She said had the university invested in relatively inexpensive of data security measures, namely encryption software, the data would’ve been protected.

The flash drive was intended to be a back-up for the payroll department, in the case of an emergency where that information, which is typically stored on a secure server, was inaccessible.

“University staff made it clear that senior staff in Financial Services had considered using encryption on the storage device and in fact had received advice from others that encryption should be used. … However, although there appears to have been an intention to encrypt the data, it was not carried out,” Denham wrote.

The privacy commissioner made five recommendations as a result of the investigation:

• The University of Victoria should formally review their privacy and security policies at a minimum of every three years;

• The University should re-assess the physical security of the Financial Services area to determine whether it is necessary to alarm the entire building, and to assess other buildings on campus where personal information is stored;

• The University should develop a comprehensive policy, procedure, training and technical solution to ensure that personal information stored on laptops and other mobile security devices is protected as required by the Freedom of Information and Protection of Privacy Act. This policy and training program should include issues of data limitation, encryption, appropriate password maintenance, physical security, wireless security and proper disposal;

• The University should develop a policy that requires the privacy manager to conduct risk assessments of personal information data banks on an annual basis and report to the University President on the result of these assessments;

• The University should provide a copy of the report of the external consultant to my office for review and comment prior to its finalization.

UVic president David Turpin responded in a press release.

“We appreciate the commissioner’s thorough and thoughtful report and recognize that it identifies areas in which the university can improve the protection of personal information,” he said.

UVic earlier this year also commissioned an external privacy review, expected to be released later this spring. Former privacy commissioner David Flaherty is conducting that one.

Turpin says the university has already taken steps toward improving security on campus, including alarming part of the Administrative Services Building, mandating encryption standards for all the university’s electronic devices, and reviewing the policies and procedures surrounding personal information.

kslavin@saanichnews.com

Just Posted

Shaelyn Sinnott of Oak Bay Volunteer Services delivers groceries for client Irene Kenny. The organization has kept up delivery of food and medication throughout all phases of the COVID-19 pandemic. (Courtesy Oak Bay Volunteer Services)
Oak Bay volunteers keep critical services running

Duo drove between Oak Bay and Jubilee three days a week, twice a day during pandemic

Two volunteers work to sieve a sample of sand and ocean water through a filter, capturing any potential microplastics. (Courtesy of Ocean Diagnostics)
Victoria startup making waves in microplastics research

New products from Ocean Diagnostics will make research faster, more affordable

Island Savings kick-starts the Equipped to Heal campaign with $120,000. (Courtesy Victoria Hospitals Foundation)
Latest Victoria Hospitals Foundation campaign targets $1M for mental health

Goal is to outfit new 19-bed unit at Eric Martin Pavilion

Willows Beach in Oak Bay. (Black Press Media file photo)
Seven days of sun set to shine on Greater Victoria

Special weather statement warns of higher than usual temperatures

Chef Trevor Randle leads a June 21 online cooking featuring recipes – beef zesty lettuce wraps, blueberry strudel and blueberry spritzer. (Courtesy We Heart Local BC)
Free online cooking course explores B.C. blueberries and beef

Chef Trevor Randle calls them the province’s most flavourful foods

Jesse Roper tackles weeds in his garden to kick off the 2021 season of What’s In My Garden Man? (YouTube/Whats In My Garden)
VIDEO: Metchosin singer-songwriter Jesse Roper invites gardeners into his plot

What’s In My Garden, Man? kicks off with the poop on compost

FILE – Most lanes remain closed at the Peace Arch border crossing into the U.S. from Canada, where the shared border has been closed for nonessential travel in an effort to prevent the spread of the coronavirus, Thursday, May 7, 2020, in Blaine, Wash. The restrictions at the border took effect March 21, while allowing trade and other travel deemed essential to continue. (AP Photo/Elaine Thompson)
Feds to issue update on border measures for fully vaccinated Canadians, permanent residents

Border with U.S. to remain closed to most until at least July 21

A portion of the George Road wildfire burns near Lytton, B.C. in this Friday, June 18, 2021 handout photo. THE CANADIAN PRESS/HO, BC Wildfire Service *MANDATORY CREDIT*
Blaze near Lytton spread across steep terrain, says BC Wildfire Service

Fire began Wednesday and is suspected to be human-caused, but remains under investigation

Blair Lebsack, owner of RGE RD restaurant, poses for a portrait in the dining room, in Edmonton, Friday, June 18, 2021. Canadian restaurants are having to find ways to deal with the rising cost of food. THE CANADIAN PRESS/Jason Franson
Canadian restaurateurs grapple with rising food costs, menu prices expected to rise

Restaurants are a low margin industry, so there’s not a lot of room to work in additional costs

A Lotto 6/49 ticket purchased in Parksville for the June 19, 2021 draw is a $3M winner. (Submitted photo)
Winning Lotto 6/49 ticket worth $3M purchased on Vancouver Island

Lottery prize winners have 52 weeks to claim jackpot

Cpl. Scott MacLeod and Police Service Dog Jago. Jago was killed in the line of duty on Thursday, June 17. (RCMP)
Abbotsford police, RCMP grieve 4-year-old service dog killed in line of duty

Jago killed by armed suspect during ‘high-risk’ incident in Alberta

Patrick O’Brien, a 75-year-old fisherman, went missing near Port Angeles Thursday evening. (Courtesy of U.S. Coast Guard)
Search for lost fisherman near Victoria suspended, U.S. Coast Guard says

The 75-year-old man was reported missing Thursday evening

Barbara Violo, pharmacist and owner of The Junction Chemist Pharmacy, draws up a dose behind vials of both Pfizer-BioNTech and Oxford-AstraZeneca COVID-19 vaccines on the counter, in Toronto, Friday, June 18, 2021. An independent vaccine tracker website founded by a University of Saskatchewan student says just over 20 per cent of eligible Canadians — those 12 years old and above — are now fully vaccinated. THE CANADIAN PRESS/Nathan Denette
At least 20% of eligible Canadians fully vaccinated, 75% with one dose: data

Earlier projections for reopening at this milestone didn’t include Delta variant

Most Read