Ottawa

Landlord finds millions of confidential files left by defunct IT firm

When one of Gregg Patterson's commercial tenants packed up and moved out in the middle of the night, leaving behind hard drives, computer servers and bankers boxes full of documents, he could have just dumped it all at the curb. He's glad he didn't.

Documents included clients' banking information, employee records

Gregg Patterson, owner of Bullion Developments Inc., found hard drives, computer servers and even old mail containing the confidential information of several companies and organizations. (Jean Delisle/CBC )

When one of Gregg Patterson's commercial tenants packed up and moved out in the middle of the night, leaving behind hard drives, computer servers and bankers boxes full of documents, he could have just dumped it all at the curb.

Instead, Patterson decided to hold onto it, and he's glad he did.

Patterson's company, Bullion Developments Inc., owns the two-storey office building on Thurston Drive, in an Ottawa industrial park. Patterson said the tenant, an IT company, stopped paying rent, then left in a hurry.

CBC has agreed not to name the now-defunct IT company or its former owner to protect information provided by sources for this story.

Among the material the company left behind, Patterson would eventually discover some 10 million digital records including confidential corporate, banking, human resources, tax and personal files.

The damage that could have been done to people's lives would have been huge.- Chris Stratton, IntelliSyn Communications

The data actually belonged to about a dozen Ottawa organizations including a law firm, a film production company, an architecture firm, non-governmental organizations and a political party, each of which had contracted their IT work to the company.

"We sort of discovered this unbelievable set of circumstances we're now living," Patterson said.

The IT company left behind about 30 hard drives containing millions of digital files. (Jean Delisle/CBC)

Patterson said it started a few years ago when the tenant stopped paying rent.

"He started defaulting on his lease," Patterson said. "I actually had to serve papers, change locks."

Acting on legal advice, Patterson stored the boxes and computer hardware, but recently decided it was time to either sell it or get rid of it.

Before he did that, Patterson thought he should check if the drives had been wiped clean, so he took the equipment to a different IT security firm now renting space in his building.

"So they did a quick revision on the drives and found a staggering number of files in the 10-million range, which is baffling to me. How can anybody leave these drives behind? I don't understand," Patterson said.

Forensic examination

The IT company that left the equipment behind no longer exists.

Its former CEO confirmed his company experienced money troubles and couldn't pay bills, and acknowledged he'd left some material behind after being locked out of the Thurston Drive office, but denied it contained any confidential files.

The IT firm the landlord tasked with the forensic examination tells a different story.

Chris Stratton, CEO of IntelliSyn Communications, is now notifying the defunct IT company's former clients that their confidential information has been found. (Jean Delisle/CBC)

"This was huge," said Chris Stratton, CEO of IntelliSyn Communications, the company that analyzed the drives.

"There's passport photos, trust accounts, bank account numbers — some of the stuff on here was just massive in terms of what could have been done. The damage that could have been done to people's lives would have been huge."

Stratton's team is now calling the organizations that own the data they've discovered. They've offered to either return the material or destroy it. Then they will physically shred the hardware.

'Trust was broken'

Some of the confidential files belong to LWG Architectural Interiors. The company's owner, Bryan Wiens, said he only recently found out about the discovery of the proprietary information.

Paper files including mail was also left behind. (Jean Delisle/CBC)

"We had no idea they had all that material of ours and it was left behind," Wiens said. "Trust was broken."

Wiens has asked for the files to be deleted, and he's urging other companies to do their homework before engaging an outside agency to handle confidential files. 

Who's responsible?

While the landlord in this case has taken responsibility to make sure the files are either returned or destroyed, he's not legally liable.

According to Mark Nunnikhoven, a technology columnist and vice-president of cloud research at Trend Micro, the responsibility actually lies with the companies that were entrusted with the data in the first place.

"If you as a business or an organization are taking in personal data, it's your responsibility to manage that data throughout its lifecycle," Nunnikhoven said. "So if you outsource your IT operations, it's still your responsibility because you're the data owner."

Mark Nunnikhoven, a tech columnist and vice-president at Trend Micro, says organizations that outsource their IT services need to understand their own responsibilities. (Jean Delisle/CBC )

Too often, organizations go looking for the lowest bid when it comes to hiring an outside IT service company, Nunnikhoven said.

"That actually can come around and bite you in the long term, because what you're actually looking for is someone who's going to provide quality services to your company," he said. 

Nunnikhoven suggests organizations check references, make sure the company has a track record of success and even "try before you buy."

"Are they going to keep it private or are they going to intermix it with other customers of their own?" he asked.

"How do they dispose of it when you are done with that data, and can you get proof of that disposal? Because at the end of the day that's still on you as a business to be responsible for that information."

Tech columnist Mark Nunnikhoven explains who should be responsible for safeguarding personal information and what could happen if it got into the wrong hands. 7:17

For now, Patterson said he's the one who's been left on the hook.

"I'm out of pocket to have [the files] professionally shredded with certificates," he said.

But even if it is costing him some money, Patterson said he's glad he didn't just throw everything in the trash.

"I sleep well at night," he said.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.