Canada’s privacy watchdog says some federal departments have no security procedures in place for recovering, wiping or encrypting lost and stolen BlackBerry smart phones.
The oversight is just one of a laundry list of potential privacy breaches highlighted by Privacy Commissioner Jennifer Stoddart in a new government report released Tuesday.
The report examined how five federal departments – Canada Mortgage and Housing Corporation, Correctional Service of Canada, Health Canada, Human Resources and Skills Development Canada, and Indian and Northern Affairs Canada – dispose of old PCs and manage their wireless security infrastructure. The five departments represent trends occurring throughout other government departments and were chosen because of the significant amount of personal data they collect, Stoddart said.
The report found that none of the five departments had fully assessed the threats and risks associated with smart phones and wireless communications.
Other notable wireless security issues found during the audit include the lack of any encryption policies for data stored on BlackBerry devices, the liberal use of BlackBerry’s PIN-to-PIN messaging system among bureaucrats, and weak password policies for mobile devices.
In an interview with ComputerWorld Canada, Stoddart said wireless security, mobile data encryption and BlackBerry usage policies “just don’t seem to be on the list of priorities” for most government departments.
“I find that very concerning. The implications for mistreating personal information are just enormous,” she said.
While the problem is not particular to Canada, she said, her report was intended to shed light of the potential privacy risks in an attempt to prevent a large-scale data breach from occurring. On a positive note, all five organizations have agreed to respond to the privacy commissioner’s report and will establish documented procedures for responding to lost or stolen devices.
Government-issued BlackBerry usage also came under fire in the report, as Stoddart said all five of the government agencies allow the use of BlackBerry Messenger platform.
The report said this direct form of communication circumvents the government’s corporate server and, according to Communications Security Establishment Canada, “is vulnerable to interception.”
The Communications Security Establishment Canada returned a call to ComputerWorld Canada, but declined to comment on the story.
Stoddart said that while these government departments have policies that state PIN-to-PIN messaging should only be used in “cases of emergency,” she widespread usage throughout all departments.
In addition to the wireless audit, Stoddart also expressed disappointment at the way government agencies disposed of electronic files on old PC hardware.
One “disturbing” example, Stoddart said, occurred after her office tested over 1,000 surplus computers that 31 federal departments donated to the Computers for Schools program. She said over 90 per cent of the federal departments donating to the program had failed to properly wipe out all of the data.
Some of the data uncovered in the audit was so highly sensitive that the PCs had to be returned to their originating departments for a proper data wipe, Stoddart said.
Follow Rafael Ruffolo on Twitter: @RafaelRuffolo.
