UVic had technology in place to prevent data theft

Chair of UVic's cyber-security centre says incident was easily preventable

The director of a centre at the University of Victoria that focuses on cyber-security said the school dropped the ball by not preventing the theft of personal information affecting thousands of people.

A break-in at the Administrative Services Building late Saturday or Sunday netted thieves multiple electronic equipment. One storage device – the school won’t specify what –  that was taken contained the digital banking information and Social Insurance Numbers for more than 11,000 past and present UVic employees.

Stephen Neville, director of the Centre for Advanced Security, Privacy, and Information Systems Research (ASPIRe), said UVic had the existing technology in place that should’ve stopped last weekend’s breach from happening.

“The degree to which people may be aware of these (available) options is the issue,”  Neville said. “It comes down to an employee saying, ‘I need to back up (this information),’ as opposed to saying, ‘Are there better ways of backing up the information that protects the privacy of the data?'”

Whoever backed up the information didn’t handle it appropriately, he said.

Christopher Parsons, a UVic PhD candidate with a background in digital privacy, says he’s disappointed his personal information was so easily stolen.

“Here was personal information on a non-encrypted drive in an unsecured space – obviously something went wrong,” he said. “In addition to your banking information was your social insurance number. Social insurance (numbers) plus your name is one of the Holy Grails for identity theft or fraud.”

Neville agrees. “You can do a lot with that information, particularly since you don’t have to go out and collect it all separately – it’s all there in one source.”

Parsons’ background is at the University of Guelph, where, before coming to UVic, he successfully advocated to get all sensitive information saved on a server.

“Stealing a server would be very, very, very challenging. If you take a desktop computer or a storage device, we wouldn’t be happy about it, but you’re not going to put a whole lot of people at risk,” he said.

The theft of the data, contained on either an optical disc or hard drive, was in a locked safe inside a locked cabinet in an office, Saanich police said. The sensitive data was unencrypted and contained personal information of anyone employed at UVic since January 2010. Pensioners are not at risk.

Scott McCannell, executive director of the Professional Employees Association, which represents nearly 880 UVic employees, is calling on the university to take better care of its staff’s information.

“We have some questions about how this could’ve occurred in the first place, and appropriate security measures,” he said. “We’ll be looking to have an understanding of what will flow out of this, in terms of revisions of UVic’s security processes and practices. An incident of a similar nature simply cannot take place in the future.”

He’s calling on the university to reimburse employees for all expenses incurred as they scramble to ensure their identities are safe.

McCannell also said some members have voiced concern about the timeline of the incident. Though police were made aware Sunday afternoon about the theft, employees weren’t notified until Monday afternoon.

“Obviously when we’re talking about the risks our members are facing, timely communications should be of the essence,” McCannell said.

However, Parsons, the PhD candidate, said UVic did do some things well in the wake of the theft.

“They can be seen as a model corporate citizen in the face of a disaster,” he said. “I’m happy I heard about this from UVic, as opposed to how (security breaches) are usually discovered: a section of the population starts noticing fraudulent activity, and when they work backwards they find the common link is this particular institution or that one.”

UVic sent out an email notification to most of the victims late Monday afternoon. An additional 700 letters were being mailed out to employees whose email addresses were out of date.

On Wednesday, UVic president David Turpin announced both an external and internal review of the security breach will be conducted.

“We’ll be looking for ways we can improve our security, and I have no doubt there’ll be a whole series of recommendations we’ll be acting on,” Turpin said when asked about the absence of an alarm system at the Administrative Services Building.

Neville says taking the precautionary steps recommended by the university –  talk to your bank about changing your accounts, and contact credit rating agencies about putting a flag on your name – is the best way to prevent yourself from becoming a victim.

“It’s important that those of us who are involved go through the process of changing all the numbers associated with our IDs. That makes that data much less valuable to those who have it,” Neville said.

Parsons says he’s waiting for the results of an internal review of UVic’s security practices before determining how to best fix holes in the existing system.

“We’ll have to identify whether this was an individual who made a serious error, with policy in place and it wasn’t followed, or if this is a problem at the university level, and employees aren’t educated or trained on how to properly manage personal information,” Parsons said. “But this shows that policy isn’t enough – there has to be some other level of technical protection.”


Just Posted

At the age of 95, local bowler shows no signs of slowing down

Olive Olmsted has bowled for more than 55 years

Colwood wins Victoria Flower Count for a five-peat

The 43rd annual Flower Count had over three billion blossoms counted in total

Royal Bay junior boys bring back lacrosse banner

The Ravens sent three teams to the provincial championships

Langford fundraiser for kidney disease is a success

Maureen Hobbs thinks B.C. Transplant says it best: “Live life. Pass it on.”

Preschool group helps release fish into Glen Lake

The number of fish released correlates to the number of fish caught per year

Celebrating our transit drivers on their day

March 18 is International Transit Driver Appreciation Day

B.C. cyclist races to first win of the season in New Zealand

Casey Brown captures Enduro title by more than two minutes at Crankworx Rotorua

Notorious Russian troll farm also took swipes at Canadian targets

Targets included oil infrastructure and Prime Minister Justin Trudeau.

Women’s Expo seeks to empower women this weekend

Victoria Women’s Expo set for Saturday and Sunday at Pearkes Recreation Centre

Cirque du Soleil aerialist dies after fall during Florida show

Longtime performer fell while performing in VOLTA

Canada earns second Paralympic Games silver in 20 years

Held 1-0 lead in para hockey game from 12:06 of first to dying seconds of third and lost in overtime

LETTERS: Two views of oil pipeline protests

U.S. and other petroleum-rich countries aren’t cutting production

Canadian Paralympic team picked up record 28 medals

The 55 athletes strong had set a cautious goal of 17 medals for PyeongChang

Canadian comic Mike MacDonald dies at 63

Ottawa-born comedian had performed on David Letterman

Most Read