Massive privacy breach at Public Services reveals workers' salaries

CBC News has learned of a major privacy breach at Public Services and Procurement Canada (PSPC) affecting almost 13,000 federal employees. Personal details such as workers' salaries were exposed.

3rd major breach at the department in a year prompts complaints to privacy commissioner

Marie Lemay is deputy minister of Public Services and Procurement Canada, where a third major privacy breach in the span of about a year exposed the personal information of almost 13,000 workers, CBC News has learned. (CBC News)

The personal information of almost 13,000 public servants was exposed in one of the largest ever privacy breaches at a federal government department.

The July 11, 2016, breach at Public Services and Procurement Canada (PSPC) included the salary, age, reading-and-writing test results and other private information of 12,901 employees — nearly everyone working in the department, which employed 13,300 people at the time.

The breach was deemed to be the result of an inadvertenthuman error.- PSPC internal document

Also included was confidential employment-equity data of about 2,590 employees, such as whether they self-identified as a visible minority, disabled or Indigenous.

The breach occurred when the human resources section attached a massive spreadsheet to an unencrypted email, which was distributed to 180 people in the department.

The breach had "the potential of serious injury to employees due to the personal nature of the information," says an internal account, dated February this year and obtained by CBC News under the Access to Information Act.

Privacy Commissioner Daniel Therrien received at least three complaints arising from a massive privacy breach on July 11, 2016, at Public Services and Procurement Canada. (Adrian Wyld/Canadian Press)

"The breach was deemed to be the result of an inadvertent human error."

The department reported the breach to Canada's privacy commissioner, Daniel Therrien, more than a month later, on Aug. 19, 2016. Employees themselves were notified even later, by email, on Aug. 26 — six weeks after the fact.

Three complaints

"I can tell you that we received three complaints, all from affected employees," said the commissioner's spokesperson, Tobi Cohen. "They were resolved through our early resolution process to the satisfaction of complainants in October 2016."

Cohen said the Privacy Act prevents the office from providing further details.

A spokesperson for PSPC said the 180 people who received the unencrypted spreadsheet had "appropriate" security clearance and were "instructed to delete the email containing the report."

"The report was also purged from government systems," said Pierre-Alain Bujold.

The report was purged from government systems.- Pierre-Alain Bujold, PSPC spokesperson

"To date, no reports have been received to indicate that personal information has been used maliciously or left departmental systems as a result of the breach," he said.

The July 2016 privacy breach was at least the third at PSPC in the space of about a year. The first two breaches — which occurred between March and July 2015, and February and April of 2016 — were the result of the wonky Phoenix payroll system which has been underpaying, overpaying or not paying federal workers.

The earlier breaches affected more workers — 300,000 — but the kind of personal information exposed was relatively minor compared with the depth of private information revealed in the latest incident, which included the size of workers' paycheques.

Other breaches

Other federal government departments have a far worse record of privacy breaches than PSPC, as detailed in last fall's annual report from Therrien, which covered the period between April 1, 2015, and March 31, 2016. The worst offenders were Veterans Affairs (84), Corrections Canada (50), Immigration (47), the Canada Revenue Agency (21) and Employment and Social Development (17). 

The Public Service Pay Centre in Miramichi, N.B. The centre's dysfunctional Phoenix payroll system was responsible for at least two major privacy breaches in 2015 and 2016. (Ron Ward/The Canadian Press)

Last month, CBC News reported on new privacy breaches at the Canada Revenue Agency, including the largest ever involving a tax worker snooping on taxpayers' files. The breaches occurred despite more than $10 million spent to stop them.

One CRA employee improperly accessed the accounts of 38 taxpayers in detail, and briefly accessed another 1,264 accounts using a search function to find surnames and postal codes. The worker was fired after being caught in March last year.

Follow @DeanBeeby on Twitter


Dean Beeby

Senior reporter, Parliamentary Bureau

Dean Beeby is a CBC journalist, author and specialist in freedom-of-information laws. Follow him on Twitter: @DeanBeeby