Canadian security experts lambasted the Canada Customs and Revenue Agency Tuesday over the lack of encryption to protect the personal data of more than 120,000 individuals that was lost when one of its servers was stolen from a regional office.
The CCRA admitted the breach weeks after its Quebec Tax Service office was broken into on Sept. 4. Local police in Laval, Que. are working with the RCMP on the case, an official said, while the CCRA is conducting an internal review of its processes. One of the four stolen laptops, which acted as a server, contained a database with unencrypted information including names, dates of birth, social insurance numbers and home addresses but not personal income tax information, according to the CCRA. Most of the records included T-5018s, a document similar to a T4 , that contractors and sub-contractors have had to file since 1999.
The database spanned records from 1999 to 2001. Approximately 94,000 of those affected were in the construction industry. The rest of the records contained information on employment insurance and Canada Pension Plan Rulings on contract and independent workers.
CCRA spokesman Dominque McNeely said it did not want to make the information public until it had contacted those affected by letter.
“”We had to check to make sure we were contacting the right clients,”” he said. “”It did take us a while, but we had to make literally millions of calls and checks within our system.””
McNeely said the servers were not contained in their usual locked room at the time of the theft. “”It was in our office, which is protected by an alarm system, but most police agencies will concur that it is practically impossible to stop a determined thief,”” he said. “”We could talk about human error, but it’s not like we left them the front lawn.””
The CCRA has put a 24-hour security guard on patrol at the office since the incident, McNeely said, and bars are being installed on the ground floor where a window was smashed.
“”Our servers aren’t encrypted,”” he said. “”They’re only password-protected because if our servers were encrypted it would slow down our operations to a point where it just wouldn’t be workable. That’s why we keep them locked in a more secure room.””
Critics said there is no excuse in today’s environment for claiming that reasonable encryption has a performance problem on IT equipment.
“”That’s utter, unmitigated nonsense,”” said Mich Kabay, associate professor in the department of computer information systems at Norwich University in Northfield, Va. “”You can use perfectly reasonable key lengths with off-the-shelf encryption software and do a reasonable job of interfering with all but a systematic, government-sponsored cracking attempt.””
Paul K. Wing, a Toronto-based independent security consultant and the former head of IT at Scotiabank, said there are known techniques using digital certificates that enable organizations to separate the personal data and transactional history onto different servers.
“”The government hasn’t shown enough leadership around how to protect data that’s stored and how to anonomize data,”” he said. “”You don’t have to have files of data sitting on a database that have my name and address and the things that link to me.””
The incident marks the second time this year a CCRA office has lost confidential information. In February, a server along with eight laptops containing information on 538 income assistance clients was stolen from a two-storey Coquitlam, B.C. CCRA location. In that case, the CCRA had backup files and the government said service wasn’t interrupted, but it did prompt a review of the B.C. government’s plan to place management of its IT infrastructure under the Ministry of Management Services.
The data and physical security of CCRA facilities has frequently attracted the concern of privacy experts, given the vast array of information the agency holds. In April, for instance, the CCRA agreed to reduce the amount of information from its database of travel information with other government departments under pressure from former Privacy Commissioner of Canada George Radwanski. Containing more than 30 data elements — including where and with whom citizens travel, payment for tickets and contact information — the database was sometimes used to monitor Canadians for possible tax infractions or other criminal activity.
Two weeks ago, the CCRA discussed a program called CANPASS whereby Canadians could speed their entry through customs by undergoing a thorough background check and recording biometric information including a scan of their iris for identification purposes.
Kabay, who once taught information security courses for the Institute for Government Informatics Professionals of the Government of Canada, said there is a growing list of identity theft incidents at governments around the world similar to those suffered by the CCRA.
“”There is a general lack of awareness of the dangers around physical access to devices,”” he said. “”But more important, encryption is not generally widespread. This is pity, because it’s . . . a relatively trivial matter to enable an encrypting file system.””
Wing, who recently authored the book Protecting Your Money, Privacy and Identity From Loss and Misuse, argued that policy around encryption, like the number of custodians in charge of a particular key, may be the bigger issue.
“”Encryption is an effective technical control, but the encryption is only as good as the management process around it,”” he said. “”If someone’s determined to get to the identities of 100,000 Canadians, then one more step of trying to get at that encryption may not be a deterrent to them.””
The CCRA has created a toll-free number that it has provided with a letter to all those affected by the server theft.