UVic had technology in place to prevent data theft

Chair of UVic's cyber-security centre says incident was easily preventable

The director of a centre at the University of Victoria that focuses on cyber-security said the school dropped the ball by not preventing the theft of personal information affecting thousands of people.

A break-in at the Administrative Services Building late Saturday or Sunday netted thieves multiple electronic equipment. One storage device – the school won’t specify what –  that was taken contained the digital banking information and Social Insurance Numbers for more than 11,000 past and present UVic employees.

Stephen Neville, director of the Centre for Advanced Security, Privacy, and Information Systems Research (ASPIRe), said UVic had the existing technology in place that should’ve stopped last weekend’s breach from happening.

“The degree to which people may be aware of these (available) options is the issue,”  Neville said. “It comes down to an employee saying, ‘I need to back up (this information),’ as opposed to saying, ‘Are there better ways of backing up the information that protects the privacy of the data?'”

Whoever backed up the information didn’t handle it appropriately, he said.

Christopher Parsons, a UVic PhD candidate with a background in digital privacy, says he’s disappointed his personal information was so easily stolen.

“Here was personal information on a non-encrypted drive in an unsecured space – obviously something went wrong,” he said. “In addition to your banking information was your social insurance number. Social insurance (numbers) plus your name is one of the Holy Grails for identity theft or fraud.”

Neville agrees. “You can do a lot with that information, particularly since you don’t have to go out and collect it all separately – it’s all there in one source.”

Parsons’ background is at the University of Guelph, where, before coming to UVic, he successfully advocated to get all sensitive information saved on a server.

“Stealing a server would be very, very, very challenging. If you take a desktop computer or a storage device, we wouldn’t be happy about it, but you’re not going to put a whole lot of people at risk,” he said.

The theft of the data, contained on either an optical disc or hard drive, was in a locked safe inside a locked cabinet in an office, Saanich police said. The sensitive data was unencrypted and contained personal information of anyone employed at UVic since January 2010. Pensioners are not at risk.

Scott McCannell, executive director of the Professional Employees Association, which represents nearly 880 UVic employees, is calling on the university to take better care of its staff’s information.

“We have some questions about how this could’ve occurred in the first place, and appropriate security measures,” he said. “We’ll be looking to have an understanding of what will flow out of this, in terms of revisions of UVic’s security processes and practices. An incident of a similar nature simply cannot take place in the future.”

He’s calling on the university to reimburse employees for all expenses incurred as they scramble to ensure their identities are safe.

McCannell also said some members have voiced concern about the timeline of the incident. Though police were made aware Sunday afternoon about the theft, employees weren’t notified until Monday afternoon.

“Obviously when we’re talking about the risks our members are facing, timely communications should be of the essence,” McCannell said.

However, Parsons, the PhD candidate, said UVic did do some things well in the wake of the theft.

“They can be seen as a model corporate citizen in the face of a disaster,” he said. “I’m happy I heard about this from UVic, as opposed to how (security breaches) are usually discovered: a section of the population starts noticing fraudulent activity, and when they work backwards they find the common link is this particular institution or that one.”

UVic sent out an email notification to most of the victims late Monday afternoon. An additional 700 letters were being mailed out to employees whose email addresses were out of date.

On Wednesday, UVic president David Turpin announced both an external and internal review of the security breach will be conducted.

“We’ll be looking for ways we can improve our security, and I have no doubt there’ll be a whole series of recommendations we’ll be acting on,” Turpin said when asked about the absence of an alarm system at the Administrative Services Building.

Neville says taking the precautionary steps recommended by the university –  talk to your bank about changing your accounts, and contact credit rating agencies about putting a flag on your name – is the best way to prevent yourself from becoming a victim.

“It’s important that those of us who are involved go through the process of changing all the numbers associated with our IDs. That makes that data much less valuable to those who have it,” Neville said.

Parsons says he’s waiting for the results of an internal review of UVic’s security practices before determining how to best fix holes in the existing system.

“We’ll have to identify whether this was an individual who made a serious error, with policy in place and it wasn’t followed, or if this is a problem at the university level, and employees aren’t educated or trained on how to properly manage personal information,” Parsons said. “But this shows that policy isn’t enough – there has to be some other level of technical protection.”


Get local stories you won't find anywhere else right to your inbox.
Sign up here

Comments are closed

Just Posted

Victoria man collects 28 bags of trash along two-kilometre stretch of highway

20-year-old spent 12 hours collecting garbage near Thetis Lake

Greater Victoria infrastructure get millions in investments to help with economic recovery

New community spaces, health centre, turf fields coming for region

Ryan Reynolds matching fundraising dollars for B.C.’s Great Bear Rainforest

Vancouver-born actor appeals to the public with Make Ryan Pay! campaign

Sidney neighbours host miniature Dinner en Rouge after COVID-19 cancellation

Group came together to celebrate Canada Day safely

Victoria International Airport rolls out health and safety initiative

YYJ limits who can enter terminal along with other added safety measures

13 new B.C. COVID-19 cases, Langley Lodge outbreak ends

Health care outbreaks down to four, 162 cases active

Alberta health minister orders review into response after noose found in hospital in 2016

A piece of rope tied into a noose was found taped to the door of an operating room at the Grande Prairie Hospital in 2016

B.C.’s major rivers surge, sparking flood warnings

A persistent low pressure system over Alberta has led to several days of heavy rain

B.C.’s Indigenous rights law faces 2020 implementation deadline

Pipeline projects carry on as B.C. works on UN goals

‘Mind boggling’: B.C. man $1 million richer after winning Lotto 6/49 a second time

David O’Brien hopes to use his winnings to travel and of course keep playing the lottery

B.C. teacher loses licence after sexual relationships with two recently-graduated students

The teacher won’t be allowed to apply for a teaching certificate until 2035

Lower Mainland teacher facing child pornography charges

Elazar Reshef, 52, has worked in the Delta School District

All community COVID-19 outbreaks declared over in B.C.

Abbotsford manufacturer cleared by Dr. Bonnie Henry

Most Read