UVic had technology in place to prevent data theft

Chair of UVic's cyber-security centre says incident was easily preventable

The director of a centre at the University of Victoria that focuses on cyber-security said the school dropped the ball by not preventing the theft of personal information affecting thousands of people.

A break-in at the Administrative Services Building late Saturday or Sunday netted thieves multiple electronic equipment. One storage device – the school won’t specify what –  that was taken contained the digital banking information and Social Insurance Numbers for more than 11,000 past and present UVic employees.

Stephen Neville, director of the Centre for Advanced Security, Privacy, and Information Systems Research (ASPIRe), said UVic had the existing technology in place that should’ve stopped last weekend’s breach from happening.

“The degree to which people may be aware of these (available) options is the issue,”  Neville said. “It comes down to an employee saying, ‘I need to back up (this information),’ as opposed to saying, ‘Are there better ways of backing up the information that protects the privacy of the data?'”

Whoever backed up the information didn’t handle it appropriately, he said.

Christopher Parsons, a UVic PhD candidate with a background in digital privacy, says he’s disappointed his personal information was so easily stolen.

“Here was personal information on a non-encrypted drive in an unsecured space – obviously something went wrong,” he said. “In addition to your banking information was your social insurance number. Social insurance (numbers) plus your name is one of the Holy Grails for identity theft or fraud.”

Neville agrees. “You can do a lot with that information, particularly since you don’t have to go out and collect it all separately – it’s all there in one source.”

Parsons’ background is at the University of Guelph, where, before coming to UVic, he successfully advocated to get all sensitive information saved on a server.

“Stealing a server would be very, very, very challenging. If you take a desktop computer or a storage device, we wouldn’t be happy about it, but you’re not going to put a whole lot of people at risk,” he said.

The theft of the data, contained on either an optical disc or hard drive, was in a locked safe inside a locked cabinet in an office, Saanich police said. The sensitive data was unencrypted and contained personal information of anyone employed at UVic since January 2010. Pensioners are not at risk.

Scott McCannell, executive director of the Professional Employees Association, which represents nearly 880 UVic employees, is calling on the university to take better care of its staff’s information.

“We have some questions about how this could’ve occurred in the first place, and appropriate security measures,” he said. “We’ll be looking to have an understanding of what will flow out of this, in terms of revisions of UVic’s security processes and practices. An incident of a similar nature simply cannot take place in the future.”

He’s calling on the university to reimburse employees for all expenses incurred as they scramble to ensure their identities are safe.

McCannell also said some members have voiced concern about the timeline of the incident. Though police were made aware Sunday afternoon about the theft, employees weren’t notified until Monday afternoon.

“Obviously when we’re talking about the risks our members are facing, timely communications should be of the essence,” McCannell said.

However, Parsons, the PhD candidate, said UVic did do some things well in the wake of the theft.

“They can be seen as a model corporate citizen in the face of a disaster,” he said. “I’m happy I heard about this from UVic, as opposed to how (security breaches) are usually discovered: a section of the population starts noticing fraudulent activity, and when they work backwards they find the common link is this particular institution or that one.”

UVic sent out an email notification to most of the victims late Monday afternoon. An additional 700 letters were being mailed out to employees whose email addresses were out of date.

On Wednesday, UVic president David Turpin announced both an external and internal review of the security breach will be conducted.

“We’ll be looking for ways we can improve our security, and I have no doubt there’ll be a whole series of recommendations we’ll be acting on,” Turpin said when asked about the absence of an alarm system at the Administrative Services Building.

Neville says taking the precautionary steps recommended by the university –  talk to your bank about changing your accounts, and contact credit rating agencies about putting a flag on your name – is the best way to prevent yourself from becoming a victim.

“It’s important that those of us who are involved go through the process of changing all the numbers associated with our IDs. That makes that data much less valuable to those who have it,” Neville said.

Parsons says he’s waiting for the results of an internal review of UVic’s security practices before determining how to best fix holes in the existing system.

“We’ll have to identify whether this was an individual who made a serious error, with policy in place and it wasn’t followed, or if this is a problem at the university level, and employees aren’t educated or trained on how to properly manage personal information,” Parsons said. “But this shows that policy isn’t enough – there has to be some other level of technical protection.”

kslavin@saanichnews.com

Just Posted

Rebels season over after loss in Cullen Cup Final

Westshore had won ten straight games prior to championship game

West Shore fireworks courses start next week

Course required for mandatory permit

More than 900 new units planned for Langford Lake development

Council still has to sign-off on rezoning application

Hey Amazon, the bid’s in the mail: Langford mayor

The City of Langford has officially submitted its bid to become the home of Amazon HQ2.

Art has become a lifestyle for local resident

Coast Collective’s latest exhibit celebrates all things late fall

Sooke fudge company on Dragon’s Den Nov. 2

Fudge in A Round appearance on Dragon’s Den celebrated with a viewing party at the local Legion Nov. 2

Human remains found at Silver Creek property

RCMP have been searching the property in the 2200 block of Salmon River Road for the past three days

EDITORIAL: It’s time to change the sexual assault conversation

The words “Me Too” are taking social media by storm this week,… Continue reading

Pumpkins’ versatility goes beyond Halloween

Linda Geggie For the Saanich News Get this. My 13-year-old just came… Continue reading

New B.C. acute care centre opens for young patients, expectant mothers

Facility aims to make B.C. Children’s Hospital visits more comfortable

Search ramps up for B.C. woman after dog, car found near Ashcroft

Jenny Lynn Larocque’s vehicle and dog were found in Venables Valley, but there is no sign of her

Event puts pets in the picture for Halloween

Pets West holding Halloween party Oct. 29 at its Broadmead Village location

Police officer hit by car, stabbed in Edmonton attack back on job

Const. Mike Chernyk, 48, returned to work Thursday

UBC medical students learn to care for Indigenous people

Students in health-related studies to take course, workshop to help better serve Aboriginal people

Most Read