Phoenix pay system to blame for twice breaching public servants' private data, says deputy minister

The department of Public Works confirms there have been two separate data breaches involving the personal information of public servants as a result of the federal government's new computerized payroll system.

Deputy minister says data was scrambled, would have needed expertise and 'significant time to make readable'

IBM inadvertently used public servants' personal information for testing during the development phase of Phoenix. (Getty Images)

Public servants had their private information breached twice when Ottawa launched its new computerised pay system, the government said Thursday. 

The deputy minister of Public Works, Marie Lemay, confirmed the incidents in an open letter to staff posted on the department's web site Thursday afternoon.

The statement comes two days after CBC News first reported on privacy problems caused by 'Phoenix'.

"Our Departmental Oversight Branch thoroughly reviewed these situations and determined that they posed low risk to employee privacy," Lemay wrote. "There was no evidence that employee personal information ever left the hands of federal employees or government contractors." 

The implementation of Phoenix has also been blamed for significant pay problems affecting more than 80,000 federal government employees.

Lemay's letter said the first breach took place between March and July of 2015.

Employee names, pay amounts, and 'Personal Record Identifiers', known as (PRI), were "inadvertently used by IBM to test the system during the development phase of Phoenix," the post said.

"This information was immediately deleted as soon as the issue was detected. In addition, the employee information consisted of scrambled data that would have required technical expertise and significant time to make it readable."

The incident was reported to the Privacy Commissioner, and was published in the 2015-2016 annual report on the Privacy Act.

2nd breach

The second data breach involved managers having access to information about all federal government employees, between February and April of 2016.

The letter says several managers from four departments had access to information about employees in other departments.

"Contrary to what has been reported in the media, this breach involved only the names and PRIs of employees. These access issues were addressed, and system fixes were put in place to prevent further problems. The OPC was also made aware of this situation."

Union not notified of breaches

The union representing 140,000 public servants says it was not notified about either of the security breaches.

Chris Aylward, national vice-president of the Public Service Alliance of Canada, said he's particularly worried about the first exposure of data during IBM's test of Phoenix.

"It's obvious they used live information and actual employee information...so that is a concern now that a third party basically had access," Aylward told CBC News.

Aylward is demanding the department be more forthcoming about exactly what data was shared, and how many employees had their personal details exposed.

Public Works Minster Judy Foote's office said the breach involving IBM was reported to the Privacy Commissioner and published in the 2015-2016 Privacy Act.

Aylward insists the union should have been notified, and that workers shouldn't have to read the Privacy Act to see if they've been involved in a breach.

"This is unacceptable, this is total bureaucratic political crap in my mind," he said.

Calls for additional precautions 

Although government employees and contractors are required to abide by a code of values and ethics, one cyber-security expert says there can be trouble tracking what happens to this kind of data after an exposure.

Mark Nunnikhoven, the vice-president of cloud research at the online security firm Trend Micro, also has concerns about the breach.

"They needed a sample data set to verify whether the system was working correctly. So that's a common practice where you take data that looks like it would be similar to the end result to see how the system will react."

But Nunnikhoven explained that only fake data should be used for testing purposes.

"They should have taken additional precautions and they shouldn't be using that type of data set in a test."

He did add that Ottawa should follow its own security practices. 

"The good thing about the government of Canada is that it has a very strong framework for managing information security ... what they need to make sure that the external contractor and everyone involved on the technical side of the system is following this through."


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?