A laptop with a database containing the personal financial information, names, birth dates, social insurance numbers, and addresses of 92 people has been stolen in Saint John, a CBC News investigation reveals.
The laptop, containing the information of an identity thief’s dreams, was left in a car overnight, unattended. The car’s window was smashed and the laptop was stolen.
The theft occurred late Jan. 17 or early on Jan. 18, according to Tyler Campbell, a communications officer with the Department of Post-Secondary Education, Training and Labour (PETL).
“The person who stole it would have had to get through the first screen, the lock screen, Microsoft password, and then figure out how to get into the database, which is also password protected,” says Campbell.
The department collects the relevant private information of New Brunswickers accessing the self employment benefit program through Southwest Community Business Development Corp. The laptop was in the possession of a CBDC Southwest employee.
“The laptop was not in plain view, it was put away, and someone decided that they were going to break into the vehicle and that is circumstances outside of our control. There’s absolutely nothing we can do in that particular circumstance,” said Heather Hubert, the CBDC Southwest executive director.
'Thou shalt not leave a laptop unattended.' - Travis Barlow, IT security consultant
“Thou shalt not leave a laptop unattended in a car or vehicle overnight. That’s almost a no-brainer,” said Travis Barlow, the Halifax-based head of the Atlantic Security Conference, AltSecCon.
Barlow said the laptop and database passwords could be easily bypassed by someone looking for data to sell.
“There’s a fantastic black market for any — that data can be used to create credit cards, mortgages, whatever to create a false identity. This information sells very rapidly on the internet underground and moves very quickly. Once it’s out there, there’s not very much you can do at that point.”
In a letter obtained by CBC News Investigates, Thomas Mann, the deputy minister of the Department of Post-Secondary Education Training and Labour, wrote to victims of the breach:
If you have information about this, or any other story, please get in touch: firstname.lastname@example.org
"Although the breach was contained quickly and the risk was minimal, we recommend that you monitor all activities involving the use of your personal information (bank accounts, transactions, etc.,” wrote Mann.
The department is offering one year of free credit monitoring for anyone concerned with the possibility of identity theft.
Barlow thinks government should be taking a more proactive approach to security, suggesting laptops containing sensitive information should be encrypted and equipped with geo-locating software, which can allow a stolen device to be tracked.
“In an ideal world that data would have been classified as critical and any laptop it went on would have to meet certain standards. In this case it did not.”
CBC News has learned that in fact, if a device is lost or stolen, no departments outside of the Department of Health have mandatory reporting requirements, meaning New Brunswickers may never know if their data was on a device which was lost or stolen, according to the province's Office of the Access to Information and Privacy Commissioner.
CBDC Southwest and PETL took an extra step notifying those whose information was on the device.
“Rather than not say anything about it like some people do, in certain circumstances, we wanted to be very open and honest with any potential breach,” said Hubert.
“We felt that the situation was very well mitigated as best we could, but we did want to make them aware on the off chance that something did occur.”
In an email to CBC News, New Brunswick's office of the chief information officer advised it has seen 19 reported cases of lost or stolen devices in the last five years, noting:
“That number is very low when you take into consideration the number of employees across government using technologies (memory stick, Blackberry, laptops, tablets, pads) everyday of the year."
“Who are we trusting with our data? You’re trusting your government with your data, then they should have a system in place that they can track where it is at any given time,” said Barlow.
“I think that for a long time we’ve turned a blind eye and we’ve trusted governments. I think we’re at a point now where we have to push the government to tighten the reins.”
CBDC Southwest and PETL are encrypting private data on laptops going forward. CBC News asked the Office of the Chief Information Officer about the possibility of more widely using encryption and geo-locating software, but the office did not respond.