Gamblers’ data stolen from federal bureaucrat
Laptop, reports, USB key taken from car
The federal agency charged with preventing the flow of money to organized crime and terrorists had an encrypted laptop, hard-copy reports and an unencrypted USB memory stick stolen in October, exposing the personal information of patrons at two Alberta casinos, including how much money they gambled.
The theft of information from the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) is a first for the agency.
The encrypted laptop and reports were inside a locked briefcase that was stolen out of the locked trunk of a rental car in broad daylight while a FINTRAC employee had left the vehicle in a Calgary parking lot while apparently going for lunch. Thefts from parked vehicles is not an unusual occurrence in Calgary, but a briefing note for Finance Minister Jim Flaherty says it isn’t clear whether the theft was targeted.
Inside the briefcase was information on how two casinos and a “dealer in precious metals and stones” report transactions to FINTRAC and how they keep client information, in accordance with federal laws combating money laundering and terrorist financing. There was no credit card or bank account information stolen, but other personal data on Canadians were on the pages of the reports that went missing.
“This theft included personal information, such as name, addresses, date of birth and occupation, as well as the reference numbers of government-issued identification documents used to ascertain the identity of patrons,” the ministerial note reads. “It also includes data such as the amounts patrons may have spent or received while at the casinos.”
A spokesman for FINTRAC said Friday that the laptop contained information on about 480 people, with about 290 more on the USB key or in the reports. Spokesman Darren Gibb said all 777 individuals affected by the breach were notified through registered letters sent in November.
Gibb said the agency believes no one besides authorized staff would be able to get into the encrypted laptop.
The agency conducted an internal investigation and found “a security procedure in the use of USB keys was not followed,” Gibb said. As for the employee involved in the incident, Gibb said: “Appropriate measures have been taken.”
Gibb said the agency has changed the way it transports information and has put in place new technologies to reduce the risk of breaches.
The revelation of another data breach at a federal agency had the opposition New Democrats suggesting the Conservative government continues to gamble with information on government operations and Canadians.
“You can’t just leave stuff in cars,” said NDP privacy critic Charlie Angus. “This is major data that could be used by organized crime … and the government was trying to hide this from Canadians.”
Preventing data breaches and shoring up cyber-security has been an ongoing issue for the federal government. It was brought to the forefront recently after a report suggested the Chinese military hacked more than 100 western companies in the past six years, including two in Canada. With that backdrop, the Liberals on Friday asked the Commons national security committee to study cyber-security.
In her most recent report, Privacy Commissioner Jennifer Stoddart wrote that she received a record number — 80 — of reported data breaches at federal agencies in 2011.
Last year, her office was made aware of two breaches at Human Resources and Skills Development Canada, including one where a portable, external hard drive containing the social insurance numbers of about 583,000 Canada Student Loan borrowers went missing from national headquarters. That loss was made public two months after the device was noticed missing on Nov. 5.
The same department also lost a USB key with information on 5,000 Canadians applying for disability payments. In both cases, the storage devices were neither encrypted, nor password-protected.
“It’s like this government really doesn’t get it,” Angus said. “They don’t get the importance of protecting data.”
According to the one-page question period note, prepared for Flaherty so he had answers ready should opposition parties query him in the Commons, the information was stolen on Oct. 18, 2012.