Service Canada Loses Canadians' data

Videos

GET INFORMANTION ON ANYBODY THROUGH GOVERNMENT RECORDS CRAZY

see larger video

sourced by Dave Keating

• 

  Created by Dave Keating | add comment

• 

  Created by Dave Keating | add comment

• 

  Created by Dave Keating | add comment

• 

  Created by Dave Keating | add comment

Service Canada is about improving the delivery of government services. They are now offering a new service: facilitating identity theft.

Service Canada recently sent a letter to 1500 individuals that where affected by a recent incident. It seems that a USB key, containing the names and social security number of 1500 canadians was lost. One of the victims, Mrs Reine Fraser, told Radio-Canada (the french CBC) that when she contacted Service Canada, she was told be a civil servant that "Service Canada did not want to invest to protect Canadian's data". There are a few problems with this statement of course... First and foremost, Service Canada employees need training in Security incident management and, in particular, in the important aspect of security incident communications. The RCMP and others offer this training to government agencies for free, so why not use it ! Second, this means that they are either not aware of Governement of Canada security policies or Privacy policies as published by Treasury Bord Secretariat and others, or they do not care. At the very least, they don't care enough to spend their money and time implementing these policies.

This is not the first reported incident of this kind at Service Canada, during the Thanksgiving weekend of 2007, a computer was stolen at Thanksgiving from the home of a Service Canada employee just across the river from Ottawa, containing the personal information of 1600 canadians.

In my experience, just like most people out there, the civil servants at Service Canada probably think that bad things only happen to other people, often refered to as 'bad people'. They are exibiting a typical risk seeking behaviour. As anyone with some basic knowledge of IT security practices can tell you, USB keys should not be used to carry delicate, protected or private information. If it really must be done fot business required activities then, at a minimum, a threat and risk assessment must be done and adequate encryption of the data must be used. Of course, the definition of adequate encryption is a complex subject, but the Government does have experts in that field, world recognized experts actually. However, mosts organisations that deal with data that is sensitive, protected under various laws, such as data protected under PIPEDA, commercial trade secrets or data in the national interest (such as National Defence secrets) AND are serious about IT security would, or should, disable floppy disk drives and USB ports on most computers. 

As described on their web site, Service Canada offers single window access to a wide range of Government of Canada programs and services for Canadian citizens through more than 595 points of service, call centres, and the Internet. It is under the responsability of the Honourable Monte Solberg, of Medicine Hat (Alberta), Minister of Human Resources and Social Development.

Sources:

http://www.servicecanada.gc.ca/en/about/index.shtml

http://www.radio-canada.ca/nouvelles/National/2008/06/23/003-service-canada-donn%C3%A9es.shtml

http://www.tbs-sct.gc.ca/pubs_pol/gospubs/tbm_12a/gsp-psg_e.asp

http://www.tbs-sct.gc.ca/pubs_pol/gospubs/tbm_128/chap1_1-1_e.asp

http://www.encyclopedia.com/doc/1O87-riskseeking.html

http://www.cbc.ca/canada/ottawa/story/2007/11/16/pe-stolen.html