Education Ministry security failings blamed for massive student data breach

B.C.'s Education Ministry failed to properly provide adequate security surrounding the personal information of 3.4 million students and teachers.

Report makes nine recommendations to boost security around privacy.

B.C.'s privacy commissioner has made nine recommendations following a data breach that affected 3.4M students and teachers. (CBC)

B.C.'s Education Ministry failed to properly provide adequate security surrounding the personal information of 3.4 million students and teachers, an investigation by the province's privacy commissioner has found.

"Organizations have to demonstrate executive leadership and communicate to staff that information assets are important, just like financial assets," Deputy Privacy Commissioner Jay Fedorak told CBC News Thursday.

The investigation was prompted after the ministry announced the loss of a hard drive containing students' information, including their name, gender, date of birth and Personal Education Number (PEN).

It also disclosed if students were cancer survivors, children in care, special needs, had withdrawn from school, or were post-secondary students receiving financial assistance.

The information lost also included some students' addresses, type of schooling and grades.

In her report into the data breach that affected 3.4 million students and teachers across B.C. and Yukon, Elizabeth Denham states that several ministry workers contravened a series of security policy directives and protocols by transferring information from the ministry server onto mobile hard drives, one of which was then lost.

The fact that the data transferred was unencrypted, and no inventory or back up of the hard drives were made, compounded the breach, the report states.

Better training, leadership needed

"The failure of the employees involved in the creation of the hard drives to follow clear privacy and information security policies indicated that the training the employees received was not effective," the report states. "It illustrated the need for better training, executive leadership and compliance monitoring."

The report states that once the breach was discovered, the ministry did provide adequate response, conducting searches for the missing drive, notifying the media, and contacting vulnerable groups.

The commissioner made nine recommendations designed to strengthen the ministry's security around personal information.

Education Minister Mike Bernier released a statement apologizing for the breach and noting the government must do a better job ensuring public servants receive adequate and ongoing training.

Mobile users: View the document
(PDF KB)
(Text KB)
CBC is not responsible for 3rd party content

With files from Richard Zussman

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.