Computer theft shakes Canada agency

Police have begun an investigation into the theft of computer equipment last month from a Canada Customs and Revenue Agency...

Police have begun an investigation into the theft of computer equipment last month from a Canada Customs and Revenue Agency (CCRA) office which contained information on businesses and individuals, including some social insurance numbers.

Four laptops - one of which was acting as a server - and two desktops were stolen from the office in Laval, Quebec. According to CCRA spokesperson Colette Gentes-Hawn, despite the theft’s occurrence weeks ago, the CCRA waited until yesterday (30 September) to alert the public after working out exactly what information was stolen.

The CCRA has stated that the databases contained no personal income tax information, and it has reconstructed them to recapture any lost data. The agency said this process has enabled it to assess what information could have been stolen and potentially inappropriately used. Most of the information contained in the equipment was related to people within the construction industry including contractors and sub-contractors, and could include information such as names, addresses, payments and business numbers. It also stated that the records contained some social insurance numbers.

The government has started to send letters to approximately 120,000 people who might be affected, explaining the situation and advising them on the appropriate steps to be taken.

The thieves gained access to the office by throwing a rock through a window. However, the main laptop, which held most of the stolen information, should have been locked away in a safe room, which it was not.

Security of all CCRA offices across Canada is to undergo additional review, and the CCRA is barring all windows on that particular building.

Despite changes in physical security, the CCRA did not comment on any new measures in terms of IT security. Although the stolen laptop/server was password-protected, the data on the machine was not encrypted. Gentes-Hawn did not know how many CCRA employees had access to the password.

According to Rosaleen Citron, chief executive officer of Ontario security software firm Whitehat, a "smash and grab" can happen to anybody at any time, but corporations need to ensure that data is protected. Assets such as desktops and laptops can be replaced but information, if placed in the wrong hands, can become dangerous.

"It doesn’t matter if it was an old database," Citron said referring to the information held on the CCRA stolen equipment. "The fact is that it had social insurance numbers, addresses, etc. That’s all you need for identity theft. That’s all you need in the black market to get a passport. It’s all a terrorist needs to get their hands on."

Citron explained that a new privacy act coming into place in Canada in January will ensure that corporations secure all data, regardless of age. She strongly recommended that businesses encrypt all data which can be accessed by someone.

So far no arrests have been made in the case.

Carly Suppa writes for

Read more on IT risk management