The director of a centre at the University of Victoria that focuses on cyber-security said the school dropped the ball by not preventing the theft of personal information affecting thousands of people.
A break-in at the Administrative Services Building late Saturday or Sunday netted thieves multiple electronic equipment. One storage device – the school won’t specify what – that was taken contained the digital banking information and Social Insurance Numbers for more than 11,000 past and present UVic employees.
Stephen Neville, director of the Centre for Advanced Security, Privacy, and Information Systems Research (ASPIRe), said UVic had the existing technology in place that should’ve stopped last weekend’s breach from happening.
“The degree to which people may be aware of these (available) options is the issue,” Neville said. “It comes down to an employee saying, ‘I need to back up (this information),’ as opposed to saying, ‘Are there better ways of backing up the information that protects the privacy of the data?'”
Whoever backed up the information didn’t handle it appropriately, he said.
Christopher Parsons, a UVic PhD candidate with a background in digital privacy, says he’s disappointed his personal information was so easily stolen.
“Here was personal information on a non-encrypted drive in an unsecured space – obviously something went wrong,” he said. “In addition to your banking information was your social insurance number. Social insurance (numbers) plus your name is one of the Holy Grails for identity theft or fraud.”
Neville agrees. “You can do a lot with that information, particularly since you don’t have to go out and collect it all separately – it’s all there in one source.”
Parsons’ background is at the University of Guelph, where, before coming to UVic, he successfully advocated to get all sensitive information saved on a server.
“Stealing a server would be very, very, very challenging. If you take a desktop computer or a storage device, we wouldn’t be happy about it, but you’re not going to put a whole lot of people at risk,” he said.
The theft of the data, contained on either an optical disc or hard drive, was in a locked safe inside a locked cabinet in an office, Saanich police said. The sensitive data was unencrypted and contained personal information of anyone employed at UVic since January 2010. Pensioners are not at risk.
Scott McCannell, executive director of the Professional Employees Association, which represents nearly 880 UVic employees, is calling on the university to take better care of its staff’s information.
“We have some questions about how this could’ve occurred in the first place, and appropriate security measures,” he said. “We’ll be looking to have an understanding of what will flow out of this, in terms of revisions of UVic’s security processes and practices. An incident of a similar nature simply cannot take place in the future.”
He’s calling on the university to reimburse employees for all expenses incurred as they scramble to ensure their identities are safe.
McCannell also said some members have voiced concern about the timeline of the incident. Though police were made aware Sunday afternoon about the theft, employees weren’t notified until Monday afternoon.
“Obviously when we’re talking about the risks our members are facing, timely communications should be of the essence,” McCannell said.
However, Parsons, the PhD candidate, said UVic did do some things well in the wake of the theft.
“They can be seen as a model corporate citizen in the face of a disaster,” he said. “I’m happy I heard about this from UVic, as opposed to how (security breaches) are usually discovered: a section of the population starts noticing fraudulent activity, and when they work backwards they find the common link is this particular institution or that one.”
UVic sent out an email notification to most of the victims late Monday afternoon. An additional 700 letters were being mailed out to employees whose email addresses were out of date.
On Wednesday, UVic president David Turpin announced both an external and internal review of the security breach will be conducted.
“We’ll be looking for ways we can improve our security, and I have no doubt there’ll be a whole series of recommendations we’ll be acting on,” Turpin said when asked about the absence of an alarm system at the Administrative Services Building.
Neville says taking the precautionary steps recommended by the university – talk to your bank about changing your accounts, and contact credit rating agencies about putting a flag on your name – is the best way to prevent yourself from becoming a victim.
“It’s important that those of us who are involved go through the process of changing all the numbers associated with our IDs. That makes that data much less valuable to those who have it,” Neville said.
Parsons says he’s waiting for the results of an internal review of UVic’s security practices before determining how to best fix holes in the existing system.
“We’ll have to identify whether this was an individual who made a serious error, with policy in place and it wasn’t followed, or if this is a problem at the university level, and employees aren’t educated or trained on how to properly manage personal information,” Parsons said. “But this shows that policy isn’t enough – there has to be some other level of technical protection.”