The disappearance of a hard drive containing thousands of customer records highlights the security implications enterprises face from employee theft and outsourcing data management, experts said Thursday.
Co. sent out a letter Monday to 180,000 of its life insurance and pension clients informing them that some of their personal information held on disk was missing. A disk drive was stolen from Information Systems Management (ISM) Canada, an IBM Canada subsidiary based in Regina. ISM was holding social insurance numbers, banking authorization, credit card numbers and dates of birth for Co-operators.
Sergeant Rick Bourassa of the Regina Police Service said that ISM reported the incident on Jan. 16. Investigators are still trying to determine whether the hard drive was stolen.
“”We’re investigating it as a theft, but whether or not it was a theft, in a legal sense, is something that the investigation will bring to light,”” he said. “”It isn’t there, and I guess what they’re trying to determine is why it isn’t there, and how that happened.””
Co-operators CEO Kathy Bardswick held a press conference in Mississauga, Ont. on Thursday and said the company first learned of the missing drive on Jan. 23. “”We have no reason to believe that information has been accessed and we have no reports of illegal activity,”” she said. “”However, we have been informed that it would be possible for sophisticated fraud rings to use this information for criminal purposes.””
Data from other private and public sector companies, including SaskTel and SaskPower, was also contained on the disk. SaskTel did not return calls for comment at press time.
According to Mary Kirwan, a lawyer and senior director with Mississauga, Ont.-based security company Kasten Chase, this type of theft is more common than people are led to believe. Co-operators is a rare instance it has actually been reported.
“”Unfortunately, sometimes companies put in every type of security that you can think of, then they forget that sometimes the biggest weak link is their employees,”” said Kirwan. “”Insider attack is usually the vulnerable point.
“”You could have a lot of good security (but) you might not have proper policies and procedures in place in terms of your employees. You might just have a few bad eggs.””
Bardswick said that the insurance company is conducting its own review of security procedures and is helping investigate the matter with ISM and Regina police. Whether the company will terminate its contract with ISM will be determined pending the review. ISM did not return calls for comment at press time.
“”I think that every organization needs to be vigilant to do what it can to prevent this kind of an occurence from happening. At this point our investigation is not complete. I can’t actually comment on what did go wrong, if anything,”” said Bardswick.
The risk of data loss increases if its management is outsourced to another provider, said IDC analyst Jonathan Gaw. “”Oftentimes the people that you outsource to don’t have the same kind of sensitivities to these things that perhaps an insurance company might.””
He said that encryption is the only way to ensure that data won’t be compromised, but some security companies view tighter measures as a tradeoff. “”The fault does not lie in the technology itself,”” he said. “”You can make these things secure. It’s the management of the information that’s the problem. When businesses actually start to incur a cost that’s higher than the cost of safeguarding the data, then they’ll stop.””
Kirwan added that industrial espionage is also on the rise and agreed that encryption is a well-established failsafe. “”It’s the ultimate defence. If you encrypt the data, it’s gibberish.””
Bardswick said that some of the information was encrypted and some of it was password-protected. The company has backups of all of the missing data.
To date, police have not received any information that anyone’s personal information has been misused, Bourassa said. “”Part of an investigation is keeping one’s mind open to all the possibilities,”” he said. “”It could be something as simple as somebody needing or wanting a piece of hardware and not wanting to pay for it.””
Co-operators has established a phone line for customers who have concerns about their account information at (800)604-0050. By Wednesday night, it had received 200 calls, Bardswick wasn’t specific but said that number grew significantly throughout Thursday.
— with files from Shane Schick