In mid-July 2012, Elections Ontario made the worrisome announcement that the personal information of up to 2.4 million Ontarians had been compromised. This is the largest personal information breach in the province’s history. As a substantial amount of personally identifiable information (PII) had been lost in this data breach, this situation investigated by both the Ontario Provincial Police as well as Ontario’s Information and Privacy Commissioner, Ann Cavoukian.
Privacy Breach Notification
On July 17, 2012, the Chief Electoral Officer of Ontario, Greg Essensa, made the announcement that a privacy breach had occurred with respect to personal information. The breach involved voters in approximately 20-25 electoral districts.
The information compromised is limited to full name, gender, birth date, address, whether or not an elector voted in the last provincial election and any other personal information updates provided by voters to Elections Ontario during that time, as well as administrative codes used solely for election purposes.
Essensa made it clear that the information breached did not include how an individual voted. As the voting process guarantees the secrecy of the vote, Elections Ontario does not store such information. Other particularly sensitive personal information (e.g. Social Insurance Numbers, Ontario health card information, driver’s license information, telephone numbers, email addresses, credit card or banking information, etc.) was not breached.
This information occurred via the disappearance of two USB memory sticks from an Elections Ontario office located in Scarborough. According to security protocols, the information should have been stored on encrypted and password-protected portable storage devices. The devices should also have been locked up when not in use. However, these protocols had not been followed, admitted Essensa.
According to Essena,
“I take this matter extremely seriously and I sincerely apologize to all Ontarians for any concern that this notification may cause.
We have undertaken a rigorous search as well as undertaken a full internal investigation to completely review the matter and circumstances leading to the USB key’s disappearance…
To provide support to Ontarians we have set up a call center to address any public inquiries regarding this notification, including confirming what electoral districts individual voters may reside within.”
It is important to note, however, that there is no evidence that any voter’s personal information has been inappropriately accessed as a result of this data breach.
Background on the Breach
It’s possible that the breach began with the results of the provincial election last fall. According to an initial report on the breach, conducted by law firm Gowling Lafleur Henderson, the instability of a minority government necessitated that Elections Ontario had to be ready to conduct another election on short notice.
Unfortunately, Elections Ontario headquarters in Scarborough did not have sufficient room to store materials for both the election that just took place, and for the future election at the same time. This led to the agency leasing more space (also in Scarborough). It was at that location where the data breach took place, sometime in late April 2012.
A team of employees working at that temporary facility was responsible for quickly updating the voter list, based on information collected during the fall election – the “Strike-Off Project,” as it was colloquially known. This team was equipped with 17 laptops, which were not networked or otherwise connected to Elections Ontario’s central network. Information had to be transferred between the network and the laptops through two memory sticks.
After an unexpected issue at their workplace, employees returned to discover that the two unencrypted, unsecured USB sticks were missing. The team had been working with information from 49 of the province’s 107 ridings. The two memory sticks contained information from 20 to 25 of those ridings, however, Elections Ontario does not know which of the 49 ridings were breached.
Ann Cavoukian, Information and Privacy Commissioner of Ontario, has recommended on a number of occasions that this kind of sensitive personal information should not be stored on mobile devices, especially those that are unsecured and unencrypted. Cavoukian commented, “I am deeply disturbed that a breach of this extent, the largest in Ontario history, involving millions of individuals, could happen at Elections Ontario – the agency charged with protecting the integrity of our electoral process.”
While fraud experts believe that the breach of information such as an address or birth date is not as serious as losing a Social Insurance Number, computer security experts say it’s still important to be vigilant. According to Associate Professor and computer security expert Thomas Dean, “It’s not just them going to the banks and pretending to be you, it’s them coming to you and pretending to be institutions [to get more personal information] as well.”
It is hoped that Elections Ontario, along with other government agencies in Ontario and across Canada, will learn from this devastating breach of personal information, the largest of its kind in the province’s history.
In July 2012, Elections Ontario released a Privacy Breach Notification regarding voters in 20-25 electoral districts who participated in the fall 2011 elections. While there is no evidence suggesting that the information has been improperly accessed, the personal information of up to 2.4 million Ontarians was compromised in this event. What made this especially concerning was that the information was stored on unsecured, unencrypted mobile storage devices. The privacy breach is now being investigated by the Ontario Provincial Police as well as the Information and Privacy Commissioner of Ontario.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Canada (CIPP/C) exam, a privacy professional should be comfortable with topics related to this post, including:
- Provincial and territorial privacy commissioners (I.A.c.i.1.b.)
- Types of personal information – public records, private/sensitive information (I.B.a.ii.; I.B.a.iii.)
- Privacy Act of Canada (III.A.a.)