Landlord finds millions of confidential files left by defunct IT firm
Documents included clients' banking information, employee records
When one of Gregg Patterson's commercial tenants packed up and moved out in the middle of the night, leaving behind hard drives, computer servers and bankers boxes full of documents, he could have just dumped it all at the curb.
Instead, Patterson decided to hold onto it, and he's glad he did.
Patterson's company, Bullion Developments Inc., owns the two-storey office building on Thurston Drive, in an Ottawa industrial park. Patterson said the tenant, an IT company, stopped paying rent, then left in a hurry.
CBC has agreed not to name the now-defunct IT company or its former owner to protect information provided by sources for this story.
Among the material the company left behind, Patterson would eventually discover some 10 million digital records including confidential corporate, banking, human resources, tax and personal files.
The damage that could have been done to people's lives would have been huge. - Chris Stratton, IntelliSyn Communications
The data actually belonged to about a dozen Ottawa organizations including a law firm, a film production company, an architecture firm, non-governmental organizations and a political party, each of which had contracted their IT work to the company.
"We sort of discovered this unbelievable set of circumstances we're now living," Patterson said.
Patterson said it started a few years ago when the tenant stopped paying rent.
"He started defaulting on his lease," Patterson said. "I actually had to serve papers, change locks."
Acting on legal advice, Patterson stored the boxes and computer hardware, but recently decided it was time to either sell it or get rid of it.
Before he did that, Patterson thought he should check if the drives had been wiped clean, so he took the equipment to a different IT security firm now renting space in his building.
"So they did a quick revision on the drives and found a staggering number of files in the 10-million range, which is baffling to me. How can anybody leave these drives behind? I don't understand," Patterson said.
The IT company that left the equipment behind no longer exists.
Its former CEO confirmed his company experienced money troubles and couldn't pay bills, and acknowledged he'd left some material behind after being locked out of the Thurston Drive office, but denied it contained any confidential files.
The IT firm the landlord tasked with the forensic examination tells a different story.
"This was huge," said Chris Stratton, CEO of IntelliSyn Communications, the company that analyzed the drives.
"There's passport photos, trust accounts, bank account numbers — some of the stuff on here was just massive in terms of what could have been done. The damage that could have been done to people's lives would have been huge."
Stratton's team is now calling the organizations that own the data they've discovered. They've offered to either return the material or destroy it. Then they will physically shred the hardware.
'Trust was broken'
Some of the confidential files belong to LWG Architectural Interiors. The company's owner, Bryan Wiens, said he only recently found out about the discovery of the proprietary information.
"We had no idea they had all that material of ours and it was left behind," Wiens said. "Trust was broken."
Wiens has asked for the files to be deleted, and he's urging other companies to do their homework before engaging an outside agency to handle confidential files.
While the landlord in this case has taken responsibility to make sure the files are either returned or destroyed, he's not legally liable.
According to Mark Nunnikhoven, a technology columnist and vice-president of cloud research at Trend Micro, the responsibility actually lies with the companies that were entrusted with the data in the first place.
"If you as a business or an organization are taking in personal data, it's your responsibility to manage that data throughout its lifecycle," Nunnikhoven said. "So if you outsource your IT operations, it's still your responsibility because you're the data owner."
Too often, organizations go looking for the lowest bid when it comes to hiring an outside IT service company, Nunnikhoven said.
"That actually can come around and bite you in the long term, because what you're actually looking for is someone who's going to provide quality services to your company," he said.
Nunnikhoven suggests organizations check references, make sure the company has a track record of success and even "try before you buy."
"Are they going to keep it private or are they going to intermix it with other customers of their own?" he asked.
"How do they dispose of it when you are done with that data, and can you get proof of that disposal? Because at the end of the day that's still on you as a business to be responsible for that information."
For now, Patterson said he's the one who's been left on the hook.
"I'm out of pocket to have [the files] professionally shredded with certificates," he said.
But even if it is costing him some money, Patterson said he's glad he didn't just throw everything in the trash.
"I sleep well at night," he said.