Police have begun an investigation into the theft of
computer equipment last month from a Canada Customs and Revenue
Agency (CCRA) office which contained information on businesses and
individuals, including some social insurance numbers.
Four laptops - one of which was acting as a server - and two
desktops were stolen from the office in Laval, Quebec. According to
CCRA spokesperson Colette Gentes-Hawn, despite the theft’s
occurrence weeks ago, the CCRA waited until yesterday (30
September) to alert the public after working out exactly what
information was stolen.
The CCRA has stated that the databases contained no personal
income tax information, and it has reconstructed them to recapture
any lost data. The agency said this process has enabled it to
assess what information could have been stolen and potentially
inappropriately used. Most of the information contained in the
equipment was related to people within the construction industry
including contractors and sub-contractors, and could include
information such as names, addresses, payments and business
numbers. It also stated that the records contained some social
insurance numbers.
The government has started to send letters to approximately
120,000 people who might be affected, explaining the situation and
advising them on the appropriate steps to be taken.
The thieves gained access to the office by throwing a rock
through a window. However, the main laptop, which held most of the
stolen information, should have been locked away in a safe room,
which it was not.
Security of all CCRA offices across Canada is to undergo
additional review, and the CCRA is barring all windows on that
particular building.
Despite changes in physical security, the CCRA did not comment
on any new measures in terms of IT security. Although the stolen
laptop/server was password-protected, the data on the machine was
not encrypted. Gentes-Hawn did not know how many CCRA employees had
access to the password.
According to Rosaleen Citron, chief executive officer of Ontario
security software firm Whitehat, a "smash and grab" can happen to
anybody at any time, but corporations need to ensure that data is
protected. Assets such as desktops and laptops can be replaced but
information, if placed in the wrong hands, can become
dangerous.
"It doesn’t matter if it was an old database," Citron said
referring to the information held on the CCRA stolen equipment.
"The fact is that it had social insurance numbers, addresses, etc.
That’s all you need for identity theft. That’s all you need in the
black market to get a passport. It’s all a terrorist needs to get
their hands on."
Citron explained that a new privacy act coming into place in
Canada in January will ensure that corporations secure all data,
regardless of age. She strongly recommended that businesses encrypt
all data which can be accessed by someone.
So far no arrests have been made in the case.
Carly Suppa writes for ITWorldCanada.com