OTTAWA — More than a million Canadians may have had their private information compromised by data breaches within the federal government over the last ten years, an analysis by The Huffington Post Canada suggests.
Prompted by a question from NDP MP Charlie Angus, the government was forced to acknowledge this week that at the very least, there were 1,072,999 instances where a Canadian’s private information held by various departments and agencies was lost, stolen or accessed by an unauthorized third party.
In a stack of documents tabled in the House of Commons Monday, the government admitted it has recorded more than 3,134 data and privacy breaches between 2002 and 2012 across all departments — although many departments only counted data breaches within the last two to five years. Of the total breaches, only 399 were reported to Privacy Commissioner Jennifer Stoddart.
“You have a million people whose privacy has been breached under this government’s watch,” Charlie Angus told HuffPost Tuesday. “It looks like the Privacy Commissioner has been kept in the dark through most of it — and the government doesn’t seem to know how many people have been affected. That is the concerning part of it.”
According to federal legislation, the government is not obliged to tell Canadians if their personal information has been breached. Departments are also not required to inform the Office of the Privacy Commissioner.
It appears the federal government may have tried to lowball the number of Canadians affected. Public Works only reported that 501 individuals were affected by breaches at the department. The total number of individuals actually affected, when one counts each case individually, was 348,061. Public Works failed to count a case where it inadvertently forwarded a file containing the unencrypted social insurance numbers of 332,560 individuals to the Canadian Imperial Bank of Commerce (CIBC). The department also didn't count a case involving 15,000 people whose names, dates of birth and unscrambled social insurance numbers were handed over on a CD to a subcontractor who should not have had access to the data.
A cyber-attack at the department of finance in 2011 was not reported to the Privacy Commissioner. A Finance official said the department would not comment on the specific incident but could confirm that no breaches of personal information had occurred.
Most departments said they didn’t inform Stoddart’s office because the disclosure of financial, medical or important personal information wasn't involved.
Angus, however, doesn’t buy that excuse.
“I don’t think that’s acceptable. We’ve seen international cyber hackers have tried to get access into federal departments. We don’t know where this information went (or) who took it,” he said, pointing to a 2011 incident in which hackers, believed to be from China, accessed Treasury Board computers belonging to senior government officials in an attempt to steal passwords and unlock entire government data systems.
“If that was happening at the Treasury Board, how are we to believe that the Treasury Board President [Tony Clement] actually has a handle on it and is in control?” Angus said.
The Conservative government said Tuesday that it takes the privacy of Canadians seriously.
"Our Government is continuously taking measures to safeguard personal information," Clement said in a press release.
Although several departments acknowledged they have no way of knowing for sure what happened to the data after it was breached, the federal government said it’s only aware of two cases where breaches led to criminal activity: A 2005 incident involving a finance department official named Serge Nadeau, who was charged with breach of trust after using insider knowledge to profit on the stock market; and a 2007-2008 incident at the Public Service Commission of Canada that was not reported to the Privacy Commissioner. (The Public Service Commission told HuffPost Canada on Tuesday it had erroneously reported that the illegal copying of a Public Service Commission test led to criminal activity.)
Recently, the federal government has come under fire for two large-scale privacy breaches involving the department of Human Resources and Skills Development Canada (HRSCD). The Privacy Commissioner is currently investigating the disappearance of an external hard drive that contained the personal and financial information of some 583,000 Canadians who had applied for the Canada Student Loans Program, as well as 250 HRSDC employees. It is also investigating the loss of a USB key containing the personal information of more than 5,000 Canadians.
Bob Buckingham, a lawyer from St. John’s, has launched a hundred-million-dollar lawsuit against the federal government over the HRSDC privacy breaches. He said he hopes the scope of his class action lawsuit will spur the government into action.
“They are just not taking the possible consequences of this seriously,” he told HuffPost in a phone interview.
“I don’t think it’s sunk in yet, that the state has so much power to collect so much data on so many Canadians (and) that there has to be an equal amount of time, effort, energy and policy put into protecting information,” he said.
Several of the privacy breaches outlined in the documents reviewed by HuffPost involve the loss or misplacement of information. Statistics Canada, for example, reported that in 2006-2007, employment records of 66 employees had been left in a filing cabinet that was then sold. The agency also reported sending several letters to the wrong person or businesses and it noted a few thefts: an encrypted laptop was stolen in 2007-2008 and a postal box that contained questionnaires of 31 people was stolen in 2008-09. Police found the documents when they busted an identity theft ring, but Statistics Canada said the information did not lead to any criminal activity as far as it was concerned.
Correctional Service of Canada reported 894 privacy breaches since 2004, and 205 breaches in the past year. It said the increase was, in part, due to staff becoming more aware of “their duty to manage information property and to report on data, information or privacy breaches as soon as possible.”
“In earlier years, breaches were not reported on as systematically as they are now,” Correctional Service of Canada said.
Veterans Affairs reported 373 breaches involving 999 individuals. When asked for an explanation spokesman Simon Forsyth said the Privacy Act prevented him from discussing individual cases even in generalities.
It is likely there are several hundreds — if not thousands — of additional data and privacy breaches. The Canada Revenue Agency said it couldn’t identity all the data, information and privacy breaches that had occurred since 2002 because the department would have to do a manual search of all its records, a task not feasible within the 45 day deadline set for answering Angus’ question.
National Defence said it would not respond to Angus’ question relating to breaches of classified information and data for “security reasons.” Neither would bodies such as the Communications Security Establishment Canada and Military Police Complaints Commission.
National Defence did note that in 2011-2012, the disclosure of someone’s job performance information was improperly sent to the media and that in 2012-2013, medical records of one Canadian Armed Forces member were given to another Canadian Armed Forces member who presumably should not have had access to it.
Charlie Angus said the NDP has been pushing for clear rules so that if a privacy breach happens, the Privacy Commissioner is informed immediately. “Given the danger of cyber fraud and identity theft, the Privacy Commissioner needs to know,” he said.
Jennifer Stoddart noted in her annual report for 2011-2012 that the number of privacy breaches reported to her office last year had reached 80 — the highest number in recent years and a 25 per cent increase from 2010-2011.
She noted that Canadians were often in the dark when a federal department or agency had lost or disclosed their data without their authorization to a third party. She said that since disclosures to her office were voluntary, she couldn’t determine whether the increase reflected more diligent reporting or an actual increase in breaches.
Also on HuffPost:
Your Birth Date And Place
While it might be nice to hear from Facebook well-wishers on your birthday, you should think twice before posting your full birthday. Beth Givens, executive director of the <a href="http://www.privacyrights.org/" target="_hplink">Privacy Rights Clearinghouse</a> <a href="http://finance.yahoo.com/family-home/article/110674/6-things-you-should-never-reveal-on-facebook">advises</a> that revealing your exact birthday and your place of birth is like handing over your financial security to thieves. Furthermore, Carnegie Mellon researchers recently <a href="http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-to-hacking.ars" target="_hplink">discovered</a> that they could reconstruct social security numbers using an individual's birthday and place of birth. Rather than remove your birthday entirely, you could enter a date that's just a few days off from your real birthday.
Your Mother's Maiden Name
"Your mother’s maiden name is an especially valuable bit of information, not least since it’s often the answer to security questions on many sites," writes the <em><a href="http://bucks.blogs.nytimes.com/2010/10/12/what-not-to-tell-facebook-friends/?src=tptw" target="_hplink">New York Times</a></em>. Credit card companies, your wireless service provider, and numerous other firms frequently rely on this tidbit to protect your personal information.
Your Home Address
Publicizing your home address enables everyone and anyone with whom you've shared that information to see where you live, from exes to employers. Opening up in this way could have negative repercussions: for example, there have been instances in which <a href="http://www.huffingtonpost.com/2010/02/17/please-rob-me-site-tells_n_465966.html" target="_hplink">burglars have used Facebook to target users</a> who said they were not at home.
Your Long Trips Away From Home
Don't post status updates that mention when you will be away from home, <a href="http://bucks.blogs.nytimes.com/2010/09/15/dont-tell-facebook-friends-that-youre-going-away/" target="_hplink">advises</a> <em>New York Times</em> columnist Ron Lieber. When you broadcast your vacation dates, you might be telling untrustworthy Facebook "friends" that your house is empty and unwatched. "[R]emind 'friends' that you have an alarm or a guard dog," Lieber writes.
Your Short Trips Away From Home
Although new features like Facebook Places encourage you to check in during outings and broadcast your location (be it at a restaurant, park, or store), you might think twice even before sharing information about shorter departures from your home. "Don’t post messages such as 'out for a run' or 'at the mall shopping for my sweetie,'" Identity Theft 911 <a href="http://identitytheft911.com/company/press/release.ext?sp=11132" target="_hplink">cautions</a>. "Thieves could use that information to physically break in your house."
Your Inappropriate Photos
By now, nearly everyone knows that racy, illicit, or otherwise incriminating photos posted on Facebook can cost you a job (or worse). But even deleted photos could come back to haunt you. Ars Technica recently <a href="http://arstechnica.com/web/news/2010/10/facebook-may-be-making-strides.ars" target="_hplink">discovered</a> that Facebook's servers can store deleted photos for an unspecified amount of time. "It's possible," a Facebook spokesperson <a href="http://arstechnica.com/web/news/2010/10/facebook-may-be-making-strides.ars" target="_hplink">told</a> Ars Technica, "that someone who previously had access to a photo and saved the direct URL from our content delivery network partner could still access the photo."
Flubbing on your tax returns? Can't stand your boss? Pulled a 'dine and dash?' Don't tell Facebook. The site's privacy settings allow you to control with whom you share certain information--for example, you can create a Group that consists only of your closest friends--but, once posted, it can be hard to erase proof of your illicit or illegal activities, and difficult to keep it from spreading. There are countless examples of workers getting the axe for oversharing on Facebook, as well as many instances in which <a href="http://www.huffingtonpost.com/2010/08/16/arrested-over-facebook-po_n_683160.html" target="_hplink">people have been arrested</a> for information they shared on the social networking site. (Click <a href="http://www.huffingtonpost.com/2010/07/26/fired-over-facebook-posts_n_659170.html" target="_hplink">here</a> to see a few examples of Facebook posts that got people canned.)
Your Phone Number
Watch where you post your phone number. Include it in your profile and, depending on your privacy settings, even your most distant Facebook "friends" (think exes, elementary school contacts, friends-of-friends) might be able to access it and give you a ring. Sharing it with Facebook Pages can also get you in trouble. Developer Tom Scott created an app called <a href="http://www.huffingtonpost.com/2010/05/24/evil-facebook-app-exposes_n_587144.html" target="_hplink">Evil</a> that displays phone numbers published anywhere on Facebook. <a href="http://www.huffingtonpost.com/2010/05/24/evil-facebook-app-exposes_n_587144.html" target="_hplink">According to Scott</a>, "There are uncountable numbers of groups on Facebook called 'lost my phone!!!!! need ur numbers!!!!!' [...] Most of them are marked as 'public', and a lot of folks don't understand what that means in Facebook's context -- to Facebook, 'public' means everyone in the world, whether they're a Facebook member or not."
Your Vacation Countdown
<a href="http://finance.yahoo.com/family-home/article/110674/6-things-you-should-never-reveal-on-facebook" target="_hplink">CBSMoneyWatch.com</a> warns social network users that counting down the days to a vacation can be as negligent as stating how many days the vacation will last. "There may be a better way to say 'Rob me, please' than posting something along the lines of: 'Count-down to Maui! Two days and Ritz Carlton, here we come!' on [a social networking site]. But it's hard to think of one. Post the photos on Facebook when you return, if you like. But don't invite criminals in by telling them specifically when you'll be gone," MoneyWatch <a href="http://finance.yahoo.com/family-home/article/110674/6-things-you-should-never-reveal-on-facebook" target="_hplink">writes</a>.
Your Child's Name
Identity thieves also target children. "Don't use a child's name in photo tags or captions," <a href="http://www.consumerreports.org/cro/magazine-archive/2010/june/electronics-computers/social-insecurity/7-things-to-stop-doing-on-facebook/index.htm" target="_hplink">writes</a> Consumer Reports. "If someone else does, delete it by clicking on Remove Tag. If your child isn't on Facebook and someone includes his or her name in a caption, ask that person to remove the name."
Your 'Risky' Behavior
CBSMoneyWatch.com <a href="http://moneywatch.bnet.com/saving-money/blog/devil-details/6-things-you-should-never-reveal-on-facebook/2360/?tag=content;col1" target="_hplink">writes</a>: <blockquote>You take your classic Camaro out for street racing, soar above the hills in a hang glider, or smoke like a chimney? Insurers are increasingly turning to the web to figure out whether their applicants and customers are putting their lives or property at risk, according to Insure.com.</blockquote> There have been additional <a href="http://www.huffingtonpost.com/2010/02/22/facebook-twitter-users-co_n_471548.html" target="_hplink">reports</a> that insurance companies may adjust users' premiums based what they post to Facebook. Given that criminals are turning to high-tech tools like Google Street View and Facebook to target victims, "I wouldn't be surprised if, as social media grow in popularity and more location-based applications come to fore, insurance providers consider these in their pricing of an individual's risk," <a href="http://www.huffingtonpost.com/2010/02/22/facebook-twitter-users-co_n_471548.html" target="_hplink">says</a> Darren Black, head of home insurance for Confused.com.
The Layout Of Your Home
<a href="http://identitytheft911.com/company/press/release.ext?sp=11132" target="_hplink">Identity Theft 911</a> reminds Facebook users never to post photos that reveal the layout of an apartment or home and the valuables therein.
Your Profile On Public Search
Do you want your Facebook profile--even bare-bones information like your gender, name, and profile picture--appearing in a Google search? If not, you should should block your profile from appearing in search engine results. Consumer Reports <a href="http://www.consumerreports.org/cro/magazine-archive/2010/june/electronics-computers/social-insecurity/7-things-to-stop-doing-on-facebook/index.htm" target="_blank">advises</a> that doing so will "help prevent strangers from accessing your page." To change this privacy setting, go to Privacy Settings under Account, then Sharing on Facebook.
ALSO ON THE HUFFINGTON POST