Hamilton woman flabbergasted by student loan privacy breach
Aunika Hinks was "stunned and disappointed" when she found out last week that personal information pertaining to her student loan had vanished from a federal building in early November.
But the Hamilton mother of two isn't alone in her dismay. She is one of almost 600,000 Canadians whose student loan information was on a hard drive that "disappeared" from a Human Resources and Skills Development Canada (HRSDC) office in Gatineau, Que.
"How does an employee just misplace such personal information?" Hinks asked, incredulous.
The hard drive contains personal information on people who were clients of the Canada Student Loans program from 2000 to 2006. Hinks falls right into the middle of that category, as she took out a student loan in 2003 to go back to school at Mohawk College to study architecture.
The information on the missing hard drive includes the names, social insurance numbers, dates of birth, contact information and loan balance of Canada Student Loan borrowers, as well as personal contact information for 250 HRSDC employees.
The government says no banking or medical information was on the hard drive.
After announcing the hard drive had gone missing, HRSDC originally told concerned individuals to get their own credit protection, which costs around $15 a month.
This spurred a class action lawsuit by St. John's lawyer Bob Buckingham, one of at least four lawsuits filed around the debacle.
The government back-pedaled and contracted credit bureau Equifax to monitor the files for any odd activity after those affected provide consent, but there won't be annual or monthly credit checks.
Equifax spokesperson Tom Carroll says a credit flag forces the bank to look into who might be applying for credit in your name. Asked if it's the same as the $15 a month credit monitoring that HRSDC had told borrowers to buy, Carroll said "no."
"They were just trying to cover their tracks because of that class action lawsuit," Hinks said, adding that she has taken the government up on its offer for credit protection.
"With a family and two kids, I can't take a risk," she said. "So thanks to the government, I have to deal with this."
Now, Hinks' credit cards, lines of credit and loans will be monitored by Equifax for any odd activity — but she'll have to provide extra proof of identity any time she applies for a loan.
"My life is no longer simple because of this database," Hinks said.
A second 'mix up'
Human Resources minister Diane Finley's only statement on the matter came by way of a press release.
"While there is no evidence that information has been fraudulently accessed or used, I want to reassure Canadians that we are serious about protecting their personal information," Finley said in a statement. "That is why we will provide potentially affected individuals with credit protection at no cost, which will flag their credit files and help detect any potential compromise of their personal information."
Letters alerting those affected by the breach have started to make their way out, but According to some notice recipients, the envelopes with their notices also held letters for complete strangers.
Chris Elliott from Halifax received his letter this week. He said it also contained a letter addressed to a woman he did not know.
"I took a look at [my envelope] when I got home . . . noticed that the first one was the French-language one, so I took a look at the other one assuming it would be the English-language one and that had a completely different person's contact information on it," said Elliott.
The single sheet of paper begins with an all-capitalized message warning: "to be opened by addressee only." The letters include the name and mailing address of recipients, but not other personal information such as a social insurance number. Elliott said a colleague at his workplace also had the same double-letter mix-up.
While Hinks only received a single letter in her envelope, she still finds herself extremely agitated.
"You never think it's going to be you — then you get this awesome letter," she said.
"Now, somebody out there has a database with everything they need to open as many credit cards in my name as they like."
HRSDC timeline of events
- Nov. 5, 2012: Employee discovers an external hard drive is missing.
- Nov. 28: Departmental security officer is notified.
- Dec. 6: Officials learn the personal information of more than 583,000 Canada Student Loans program clients are on the missing hard drive.
- Dec. 14: The Office of the Privacy Commissioner is notified.
- Jan. 7, 2013: The incident is referred to the RCMP.
- Jan. 11: The public is informed of the incident, and all portable hard drives and unencrypted USB keys are banned at HRSDC.
- Jan. 25: HRSDC says it will pay credit bureau Equifax to monitor the files for any odd activity after those affected provide consent, but there won't be annual or monthly credit checks.
If you received a letter from the government saying you're affected by the data breach, you can provide your consent for credit monitoring by calling toll free number at 1-866-885-1866 within North America.
If you are outside of North America call 1-416-572-1113 and dial 0 to speak to your operator in order to reverse the charges.
If you have a hearing or speech impairment and use a teletypewriter (TTY) call 1-800-263-5883.
- This story originally reported that Equifax would provide free credit and identity protection services for six years. In fact, Equifax will monitor the files for any odd activity only after those affected provide consent, and there won't be annual or monthly credit checks.Feb 11, 2013 11:58 AM ET