Phoenix breaches known for year
The government encountered not one, but two privacy breaches with the problematic Phoenix pay system, and was aware of the issue more than a year ago, officials acknowledged Thursday.
In an open letter to public servants, posted online Thursday, Public Services and Procurement Canada deputy minister Marie Lemay said that in both cases, “There was no evidence that employee personal information ever left the hands of federal employees or government contractors.”
The first privacy breach issues surfaced between March and July 2015. The latest, as widely reported earlier this week, occurred between February and April of this year.
Lemay said the breaches arose during the testing and early implementation of Phoenix, and that “system adjustments and fixes were quickly implemented to prevent further breaches.”
The open letter was published after media reports on the latest privacy breach, in which personal information of all 300,000 civil servants enrolled in the Phoenix pay system could be accessed by as many as 70,000 federal employees.
“I understand that employees may be concerned about this, and I want to assure you that we take the safeguarding of employee personal information very seriously,” Lemay wrote, saying the government followed a “systematic approach … to assess and address causes and consequences.”
According to a CBC News report, documents released this week show officials were warned as early as Jan. 18 of the flaw that allowed the privacy breach.
Despite Thursday’s revelation that the department knew about potential problems a year ago, Minister Judy Foote told CBC she learned only this week of the internal breach of private information.
Contrary to media reports, Lemay said the latest breach, which occurred shortly after Phoenix was launched earlier this year, contained only the names and personal record identifiers (PRIs) of affected employees — not social insurance numbers, as was previously feared.
In the 2015 breach, scrambled PRIs, employee names and pay amounts “were inadvertently used by IBM to test the system during the development phase. … This information was immediately deleted as soon as the issue was detected,” Lemay said.
The Privacy Commissioner reviewed that case and determined that Public Services and Procurement Canada had taken the appropriate steps. Both departments agreed “that the risk to individuals was very low and that no further action … was required.”