dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1712
share rss forum feed


lugnut

@communications.com

[Serious] HRSDC does it again!!!

What the hell is wrong with these people? Why are government computers even allowed to use USB access for this kind of thing?

»www.cbc.ca/news/canada/story/201 ··· ?cmp=rss

quote:
Federal agency loses data on 583,000 Canadians

A portable hard drive containing personal information about more than half a million people who got student loans has gone missing, the federal government revealed Friday.

Human Resources and Skills Development Canada says the device disappeared from an HRSDC office in Gatineau, Que., in early November.

The hard drive had personal information on 583,000 Canadians who were clients of the Canada Student Loans program from 2000 to 2006. Borrowers from Quebec, Nunavut and the Northwest Territories are not affected.

The information on the missing hard drive includes:

Student names, social insurance numbers, dates of birth, contact information and loan balance of Canada Student Loan borrowers.
Personal contact information for 250 HRSDC employees.

The government says no banking or medical information was on the hard drive.

...snip...


I swear government security in this country is looser than my stools after a curry dinner


Mike2009

join:2009-01-13
Ottawa, ON
kudos:3
People need to be fired for this. There's no excuse.

zod5000

join:2003-10-21
Victoria, BC
Reviews:
·Shaw
reply to lugnut
Ouch. I graduated in '04, so that pretty much covers every year I was in university taking student loans.

I did pay them off a few years ago though. Hopefully my data isn't on there (as my file would of been closed in '09).

ugh. thats really really bad.


Thane_Bitter
Inquire within
Premium
join:2005-01-20
reply to lugnut
Third times a charm, bet they misplace another this month.

HoboJ

join:2008-03-27
Cornwall, ON
kudos:1
reply to lugnut
It's mind boggling to think that my personal information can be moved around and/or stored on portable hard drives and usb keys. Such sensitive information should never be allowed to be put on portable digital media like on secure DND networks.

peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON
reply to Mike2009
said by Mike2009:

People need to be fired for this. There's no excuse.

Actually there is. Often workers are put in compromising positions with protecting information and are used as scapegoats when things they have little or no control over go south.


lugnut

@communications.com
said by peterboro:

said by Mike2009:

People need to be fired for this. There's no excuse.

Actually there is. Often workers are put in compromising positions with protecting information and are used as scapegoats when things they have little or no control over go south.

Actually there is NO excuse for this. Government employees are paid top dollar and benefits in order to attract the "best" IT employees available. It was up to that bunch of PhDs to design and implement a world class, government class security system to protect sensitive information. Somewhere, somehow, some government administrative egghead dropped the ball on the design and implementation and by all means that's exactly where the buck is supposed to stop.

Of course, the old boys network of the civil service will protect him from actually facing any consequences and the keystone cops will continue to run the government's IT departments without so much as a hiccup.

Like I said in my first post, how hard IS IT to disable user access to USB on these machines? On Linux it's trivial. What kind of sh*ts for brains are running the department?


Last Parade

join:2002-10-07
Port Colborne, ON
reply to zod5000
said by zod5000:

Ouch. I graduated in '04, so that pretty much covers every year I was in university taking student loans.

I did pay them off a few years ago though. Hopefully my data isn't on there (as my file would of been closed in '09).

ugh. thats really really bad.

Did you graduate?

zod5000

join:2003-10-21
Victoria, BC
Reviews:
·Shaw
said by Last Parade:

said by zod5000:

Ouch. I graduated in '04, so that pretty much covers every year I was in university taking student loans.

I did pay them off a few years ago though. Hopefully my data isn't on there (as my file would of been closed in '09).

ugh. thats really really bad.

Did you graduate?

Yes. Not with an English degree though

peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON
reply to lugnut
said by lugnut :

Actually there is NO excuse for this.

I said often workers are put in compromising positions and that statement covers more than this case alone.

"some government administrative egghead" are who put the safeguards in place that compromise thousands of front line workers if not designed properly.

Then if there is a breach who do you think gets screwed over? That's right the worker not administration who set up the system.

So yes there are thousands of excuses out there just waiting for the next security breach.

jobr

join:2004-10-21
Halifax, NS
reply to lugnut
Seriously, what sort of IT people do they have? Sensitive personal information like this should be stored on a server with strong encryption, with no possibility for employees to export the data.

Like others already said, there is no excuse. Especially since they've screwed up before.


Mike2009

join:2009-01-13
Ottawa, ON
kudos:3
reply to peterboro
My employer would fire me over this. It's clearly communicated to us not to do something so stupid. They should fire someone higher up like a director responsible for the department in question.

peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON
said by Mike2009:

My employer would fire me over this. It's clearly communicated to us not to do something so stupid. They should fire someone higher up like a director responsible for the department in question.

Each case turns it's merits and if you were warned and repeatedly, and unequivocally, breached protocol, that was properly instituted, then yes you should be terminated.

However that protocol should also be the subject of scrutiny. Was it set up properly? Were employees properly trained on it? Were employees adequately advised they could be terminated?


Mike2009

join:2009-01-13
Ottawa, ON
kudos:3
If the federal government doesn't have policies set up to address this kind of thing then there's an even bigger problem.

MichelR

join:2011-07-03
Ottawa, ON
You screw up like this in my department and it's an automatic firing. Also depending on the gravity of the screw up, there may be criminal prosecution (that's in the law governing my department). Security of information is pretty much the "prime directive" and there are no excuses.

I never understood how in hell confidential data ends up on USB keys, portable hard drives or laptops that can be taken off the premises. How many stories like this have we seen in the past few years, from governments, insurance companies, credit card companies etc? And of course most of the time the data isn't even encrypted.

peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON
reply to Mike2009
said by Mike2009:

If the federal government doesn't have policies set up to address this kind of thing then there's an even bigger problem.

It is how the policy was set up and the appropriate safeguards.

In all likelihood the policies are set up to provide isolation of discipline the further you go up the foodchain in an organization.


urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
reply to jobr
said by jobr:

Seriously, what sort of IT people do they have?

I'm wondering the same thing... there really is no excuse for this as there shouldn't be a single, portable hard drive floating around that has sensitive data. There's nothing anyone can say that would mitigate the necessity to fire someone, whether it's someone in management that allowed these files to reside on a portable drive or someone in IT that doesn't know what the fuck they're doing.

Sadly federal IT is fractured and there's no unified system of rules and procedures so it doesn't surprise me when an aspect of the federal government has inept IT people.


Styvas
Go Canucks Go
Premium
join:2004-09-15
Hamilton, ON
reply to lugnut
Hmmm...I think my wife would fit the description. She's paid hers off in the last year or two, but presumably that doesn't make a difference in terms of inclusion in this data loss. I guess we'll be checking her credit history in a few weeks. I'm feeling better about that I.D. theft coverage all of a sudden.
--
"Moving your Tylenol to the low shelf in your medicine cabinet is not the way to prevent children from falling off a stool when reaching for the top shelf." (said by Savant, May 2008)

peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON
They are obligated to notify her.


Mike2009

join:2009-01-13
Ottawa, ON
kudos:3
I've heard from several people who have been notified and they're not happy.


Rifleman
Premium
join:2004-02-09
p1a
reply to lugnut
What probably happened is the data was kept on that one stick for various people who needed that data to use. Someone either lost it or misplaced it.

peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON
reply to Mike2009
said by Mike2009:

I've heard from several people who have been notified and they're not happy.

Class action like one being initiated in Peterborough against the hospital.

MichelR

join:2011-07-03
Ottawa, ON
reply to Rifleman
said by Rifleman:

What probably happened is the data was kept on that one stick for various people who needed that data to use. Someone either lost it or misplaced it.

You keep that kind of stuff on secure servers, not on a USB stick or portable drive. Confidential data should not leave the office anyway.


Mike2009

join:2009-01-13
Ottawa, ON
kudos:3
Reviews:
·TekSavvy DSL
said by MichelR:

said by Rifleman:

What probably happened is the data was kept on that one stick for various people who needed that data to use. Someone either lost it or misplaced it.

You keep that kind of stuff on secure servers, not on a USB stick or portable drive. Confidential data should not leave the office anyway.

Exactly. We're not allowed to leave the office with confidential documents containing personal information.


urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
reply to MichelR
said by MichelR:

You keep that kind of stuff on secure servers, not on a USB stick or portable drive.

And even backed up onto a removable media, like tape, it should be encrypted.

MichelR

join:2011-07-03
Ottawa, ON
said by urbanriot:

said by MichelR:

You keep that kind of stuff on secure servers, not on a USB stick or portable drive.

And even backed up onto a removable media, like tape, it should be encrypted.

Always. Hell, even my own personal stuff at home is encrypted. It's not like it's hard.


Styvas
Go Canucks Go
Premium
join:2004-09-15
Hamilton, ON
reply to peterboro
said by peterboro:

They are obligated to notify her.

I doubt she's updated her address since she paid it off. They might not be able to reach her.
--
"Moving your Tylenol to the low shelf in your medicine cabinet is not the way to prevent children from falling off a stool when reaching for the top shelf." (said by Savant, May 2008)

peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON
said by Styvas:

said by peterboro:

They are obligated to notify her.

I doubt she's updated her address since she paid it off. They might not be able to reach her.

I have a relative who meets the criteria and hasn't changed his address so we'll see if something hows up.

NefCanuck

join:2007-06-26
Mississauga, ON
Reviews:
·voip.ms
reply to lugnut
Here's the problem with everyone saying "This shouldn't happen" you all want government workers to "work for their money" guess what that means?

It means that they have to have access to that data, whether by remote access or downloading files onto another medium to work elsewhere with them.

Remote access to be blunt is a right royal pain in the ass because the connections drop randomly causing work to be lost or worse yet data to be destroyed. Imagine the uproar if by remotely accessing an original file and a connection was lost, personal data was damaged / destroyed?

Should the copied data have been unencrypted? Hell no, if anything it should have been loaded onto a USB key that required a password and if the password check failed the data would automatically be destroyed (there are USB keys that offer that level of security)

But ultimately that type of security costs money, are you willing to pay for that?

NefCanuck


lugnut

@communications.com
Considering every low life government weasel working for the federal government starts off with pretty close to a 6 figure salary PLUS gold plated benefits and pension, I'd have to say WE ARE ALREADY PAYING for surgical precision when it comes to handling our data.

Besides, hardware is always the cheapest part of any IT budget. It's administrators and analysts and programmers and software licenses that cost the big bux.

I don't think it's outrageous to feel violated when one hears that half a million people were identity raped by a $5 USB key you can buy at any Staples outlet.

Besides, administering an IT system is MORE than just buying hardware and software and praying that it works together. It's up to the analysts and the PhD department heads to DESIGN AND IMPLEMENT PROCEDURES as well as hardware and software to insure that cockups like this and too many others like it SHOULD NEVER HAPPEN!

Frankly I'd have to say this justifies firing anyone who was responsible for setting up the procedures that allowed this to happen in the first place. The only things that should plug into the USB port of a government computer and be granted permission to work are a mouse, a keyboard and a printer. Granting file system access to a government networked computer's USB port is just sloppy administration and system design. Pure and simple.

And trust me, we're already paying these department heads quarter million dollar salaries.

No wonder we're pissed that we're not getting our money's worth.