USB drives missing with Canadian voter data

In one of the biggest privacy breaches in Canadian history, the personal data of over 2 million voters in the province of Ontario held on two USB drives has disappeared.

The incident happened in April but was only publicly reported Tuesday by the provincial chief electoral officer. Greg Essensa said the data on the drives wasn't encrypted, but was in a format that could only be accessed by proprietary provincial software or by a highly skilled programmer using commercial software.

"I'm deeply disturbed," said Ontario privacy commissioner Ann Cavoukian.

It's "the largest data breach that has occurred in the province," from either a public agency or a private sector business. The risk, she added, is someone could access personal information and steal peoples' identities.

It's not merely a black eye for the province. It's also an embarrassment because Cavoukain is known around the world as a privacy advocate.

"One of the reasons I was so disturbed is the data on millions of people was not encrypted," she added.

Elections Ontario isn't exactly clear what's on the drives, or whether the drives were stolen or are merely missing.

Essena told reporters the two drives have names, addresses, gender, birth dates and "any other personal information updates provided to Elections Ontario" by roughly half of people on the voters list last fall, and possibly, whether they voted. What's not on the drives are social insurance numbers, health card numbers, drivers licence information, credit card or banking information.

But after several months of investigating it still isn't sure what names were on the drives. It believes they covered 20 to 25 of the 49 electoral districts being worked on by staff at the time.

Even forensic experts hired by the department can't figure out which ridings were on the drives.

The department has done a "rigorous" search for the drive, Essensa said, and a full investigation by a private law firm and a forensics security firm, an investigation still ongoing. It's also been reported to the Ontario Provincial Police.

Meanwhile, he's advising all Ontarians to watch for "potential unusual activity" regarding any transactions with the province, banks, utilities and retailers.

An obviously frustrated Cavoukian said she has issued several orders to provincial civil servants that if data is to be transferred from a provincial computer to a portable device either it has to be de-personalized or encrypted.

However, for some reason neither happened in this instance at Elections Ontario.

A chastened Essensa told reporters that the department's policies "were not followed" and couldn't explain why.

However, he tried to suggest that the odds of the data being misused is low.

"If you were to put these keys into your computer now there's no [file] extension that comes on the files. You would not be able to identify exactly what software you would need to utilize them."

"There is no evidence that copies of personal information on two USB keys have been improperly accessed," he added, but out of "an abundance of caution" is telling the public now.

The USB drives had been to transfer data to laptops in a temporarily leased building where Elections Ontario was updating the voter registry. Laptops used by staff didn't have Internet access to the government's servers.

Staff were told to lock up the drives when they weren't in use.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Howard Solomon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts