UVic had technology in place to prevent data theft

Chair of UVic's cyber-security centre says incident was easily preventable

The director of a centre at the University of Victoria that focuses on cyber-security said the school dropped the ball by not preventing the theft of personal information affecting thousands of people.

A break-in at the Administrative Services Building late Saturday or Sunday netted thieves multiple electronic equipment. One storage device – the school won’t specify what –  that was taken contained the digital banking information and Social Insurance Numbers for more than 11,000 past and present UVic employees.

Stephen Neville, director of the Centre for Advanced Security, Privacy, and Information Systems Research (ASPIRe), said UVic had the existing technology in place that should’ve stopped last weekend’s breach from happening.

“The degree to which people may be aware of these (available) options is the issue,”  Neville said. “It comes down to an employee saying, ‘I need to back up (this information),’ as opposed to saying, ‘Are there better ways of backing up the information that protects the privacy of the data?'”

Whoever backed up the information didn’t handle it appropriately, he said.

Christopher Parsons, a UVic PhD candidate with a background in digital privacy, says he’s disappointed his personal information was so easily stolen.

“Here was personal information on a non-encrypted drive in an unsecured space – obviously something went wrong,” he said. “In addition to your banking information was your social insurance number. Social insurance (numbers) plus your name is one of the Holy Grails for identity theft or fraud.”

Neville agrees. “You can do a lot with that information, particularly since you don’t have to go out and collect it all separately – it’s all there in one source.”

Parsons’ background is at the University of Guelph, where, before coming to UVic, he successfully advocated to get all sensitive information saved on a server.

“Stealing a server would be very, very, very challenging. If you take a desktop computer or a storage device, we wouldn’t be happy about it, but you’re not going to put a whole lot of people at risk,” he said.

The theft of the data, contained on either an optical disc or hard drive, was in a locked safe inside a locked cabinet in an office, Saanich police said. The sensitive data was unencrypted and contained personal information of anyone employed at UVic since January 2010. Pensioners are not at risk.

Scott McCannell, executive director of the Professional Employees Association, which represents nearly 880 UVic employees, is calling on the university to take better care of its staff’s information.

“We have some questions about how this could’ve occurred in the first place, and appropriate security measures,” he said. “We’ll be looking to have an understanding of what will flow out of this, in terms of revisions of UVic’s security processes and practices. An incident of a similar nature simply cannot take place in the future.”

He’s calling on the university to reimburse employees for all expenses incurred as they scramble to ensure their identities are safe.

McCannell also said some members have voiced concern about the timeline of the incident. Though police were made aware Sunday afternoon about the theft, employees weren’t notified until Monday afternoon.

“Obviously when we’re talking about the risks our members are facing, timely communications should be of the essence,” McCannell said.

However, Parsons, the PhD candidate, said UVic did do some things well in the wake of the theft.

“They can be seen as a model corporate citizen in the face of a disaster,” he said. “I’m happy I heard about this from UVic, as opposed to how (security breaches) are usually discovered: a section of the population starts noticing fraudulent activity, and when they work backwards they find the common link is this particular institution or that one.”

UVic sent out an email notification to most of the victims late Monday afternoon. An additional 700 letters were being mailed out to employees whose email addresses were out of date.

On Wednesday, UVic president David Turpin announced both an external and internal review of the security breach will be conducted.

“We’ll be looking for ways we can improve our security, and I have no doubt there’ll be a whole series of recommendations we’ll be acting on,” Turpin said when asked about the absence of an alarm system at the Administrative Services Building.

Neville says taking the precautionary steps recommended by the university –  talk to your bank about changing your accounts, and contact credit rating agencies about putting a flag on your name – is the best way to prevent yourself from becoming a victim.

“It’s important that those of us who are involved go through the process of changing all the numbers associated with our IDs. That makes that data much less valuable to those who have it,” Neville said.

Parsons says he’s waiting for the results of an internal review of UVic’s security practices before determining how to best fix holes in the existing system.

“We’ll have to identify whether this was an individual who made a serious error, with policy in place and it wasn’t followed, or if this is a problem at the university level, and employees aren’t educated or trained on how to properly manage personal information,” Parsons said. “But this shows that policy isn’t enough – there has to be some other level of technical protection.”


Just Posted

Full buses leave Colwood woman fuming over commute from West Shore

BC Transit plans to add eight double-deckers in 2020, will rotate on 50 and 61 routes

Saanich councillor tries his hand at design with cycling T-shirt

Positive response has avid cyclist considering making more to share

BC Hydro reservoirs see record low levels across Vancouver Island

Hydro electric watersheds are at a third of their normal levels

PHOTOS: City of Colwood hosts a ‘heartwarming start’ to the holidays

Colwood Christmas Light Up Celebration sees surge in attendance

Trauma sufferers support group takes shape on West Shore

Aaron’s Society open to more peer support groups with certified trauma practitioners

VIDEO: John Lennon’s iconic Rolls Royce rolls into Camosun College for checkup

Royal BC Museum, Camosun College and Coachwerks Restorations come together to care for car

POLL: Will you be donating to charities over the holiday season?

Many here in Victoria joined others around the world to take part… Continue reading

Greater Victoria Crime Stoppers wanted list for the week of Dec. 3

Greater Victoria Crime Stoppers is seeking the public’s help in locating the… Continue reading

VIDEO: Rockslide closes part of Highway 93 in Fairmont Hot Springs

Geotechnical team called in to do an assessment after rocks fell from hoodoos

Petition calls for appeal of ex-Burns Lake mayor’s sentence for sex assault

Prosecution service says Luke Strimbold’s case is under review

Northwest B.C. wildlife shelter rescues particularly tiny bear cub

Shelter co-founder says the cub weighs less than a third of what it should at this time of year

BC firefighters to help battle Australian bushfires

Canada sent 22 people, including 7 from B.C.

B.C. NDP touts the end of MSP premiums

Horgan, James held news conference to reiterate that people will get their last bill this month

Oscar Hickes: Longest running hockey tournament on Vancouver Island cancelled

Patrick Murray, one of the organizers for the tournament, broke the sad news on social media.

Most Read