Missing Hard Drive Spurs Data-Theft Fears In Canada 29
DevNull writes "A government of Saskatchewan (Canada) hard drive has gone missing, and it contains significant personal data - in fact, the government won't even detail what all is contained in it. Read about it from the CBC. So much for people who think the internet is the cause of all their security fears! Identity theft is the major concern at the moment."
B5_geek links to this
report on Bloomberg.com which says that "'[t]he information includes names, addresses, beneficiaries, social insurance numbers, pension values, pre-authorized checking information and mothers' maiden names," according to Co-operators Chief Executive Kathy Bardswick
It was encrypted, wasn't it? (Score:2, Funny)
REGINA - Thousands of Canadians across the country are being cautioned that a computer hard drive missing for two weeks from a Regina office contains their personal data. Saskatchewan government officials fear the data could be misused.
And people give de Raadt a hard time for encrypting the swap file...
Ugh (Score:3, Interesting)
Security, security, security, people. It's my (and your) information we're dealing with here. I'd sooner it not be put in the hands of the lowest bidder, Thankyouverymuch.
Re:Ugh (Score:3, Insightful)
And let's not forget PHYSICAL security, somebody had to go in, remove the hard drive from the computer (I assume it was in active use..) and walk out with it.
Re:Ugh (Score:1)
That doesn't mean they're not reinsuring you though... Insurance companies spread the risk around. One company will reinsure another company's policies.
A global ID (Score:2, Interesting)
Like it or not, at some point it seems like EVERONE's data gets stolen. I'm uber-paranoid about giving my info to anyone, but I KNOW that there is info floating around the internet about me that someone could use to steal my identity. Is anyone working on a two part identity sytem like this that isn't proprietary?
Shawn
Re:A global ID (Score:2)
A global ID would be worse... (Score:1)
Seems like a global ID would just be that much worse: a new target that is even better than the SSN in the hands of thieves.
So, I agree with the parent that
Not relying on one single id system is, imho, an important part of protecting your id, because that makes you less vulnerable to id theft.
Yeah, it makes things more complex for govenrments (and even for us poor slobs with more things to remember), but a single target is just too tempting to criminals.
(cough... windows viruses...
If found, send to... (Score:4, Funny)
Physical security is important too... (Score:3, Interesting)
Software security means squat diddly if someone can just pop the HDD in as a slave.
Re:Physical security is important too... (Score:2)
On a side note, anyone involved in a company with layoffs... did you lock your door in fear of disgruntled employees going on a shopping-spree in your office? Heh.
The Co-Operators (Score:5, Informative)
Check out this article [canada.com] (Regina Leader Post).
(OT: Have you noticed that there are more and more threads on Slashdot that has less then 10 comments? Hmmm...)
Re:The Co-Operators (Score:2)
(OT: Have you noticed that there are more and more threads on Slashdot that has less then 10 comments? Hmmm...)
If you have the "collapse sections" option on, you get to see all the stories that are in other sections but not officially on the front page. Those are seen by a lot fewer people (those that look at the section, and people with that option on).
Now I also use the option and I know no easy way to tell if this story is on the front page, but judging from the number of comments it probably isn't.
This company is an IBM subsidiary (Score:3, Insightful)
The amount and detail of data makes this a SCARY situation.
Contracts (Score:1)
so? (Score:5, Funny)
I mean, these days any schmo with an iBook goes
Then just unmount the drive image (drag it in the finder from your desktop to the trash -- which will turn into an eject button) before you leave your computer for the day, or whenever somebody's using it who shouldn't have access to the contents of that drive -- even if they're using your account, cuz' you're letting them sit at your computer.
Double-clicking the drive image prompts for a password (don't check 'save to keyring') before mounting it and once more you're good to go.
You don't even ever have to turn your computer off.
Um, yeah. (Eyes dart around the room looking for a way not to receive a bunch of off-topic downmods. Um....)
Wait! Got it!
"You know, this wouldn't happen if hard-drives were encrypted by default, and the OS needed a password from the HARDWARE (or a hash) such that on bootup if your configuration is different radically from what it was before, your valuable information becomes unreachable.
Oh wait, XP does this already.."
Re:so? (Score:2)
It can? Linux can't. (well, maybe with some nonstandard kernel patch that causes your machine to crash more often than Windows 95).
Re:so? (Score:2)
But say you did steal a XP install and needed to get data off it.
Pop in a XP Pro CD, tell it to repair the existing install, enter a new license key.
Use any one of the dozen or so ways of gaining admin from there.
Wonder if the old ring-0 exploits still work..
Re:so? (Score:1)
Re:so? (Score:1)
Re:so? (Score:2)
Are you crazy? Doing that would add all of $1 to the cost of the drive. We can't possibly afford that! It's much more important to lower the price some more than to stop and think about adding features.
the real threat (Score:2, Funny)
At least that is what *they* keep telling us. You do believe them, right?
heh heh
More Info: (Score:3, Informative)
Some interesting things have been reported in the media around here. Some have said the data was encrypted, and that it was unlikely that anyone could get the data. If it was encrypted with anything recent, it would be near impossible to get the information off of it. If I were talking to the media and new it was encrypted
It was also mentioned that information was in a database, and the tables couldn't be linked very easily... but who really knows.
Re:More Info: (Score:1)
I'm pretty sure if the hard drive was encrypted with something legitimate they would be all over the news announcing this. I highly doubt it was encrypted using anything other than ROT13.
Also contained Investor's Group info (Score:1)
Re:Also contained Investor's Group info (Score:2)
Social Insurance Numbers (SIN) are similar to Social Security Numbers. They are used for dealing with government agencies (Income Tax, Employment Insurance [read: Unemployment Insurance], etc).
You are required to provide a SIN to your employer, and to relevant government agencies. Financial institutions, such as Banks and Credit granting agencies, can ask you for your SIN, but you are not compelled to provide it, and they cannot penalize you in any way for not providing it.
It is illegal in Canada to ask for a SIN if you are not one of the above listed. There is no crime in having customer data that includes an individual's SIN, but it must be volunteered, unprompted.
It is very common for US branch companies to treat a SIN as they do a Social Security Card; go to Blockbuster in Canada and you may find a sign saying it is one of their very short list of acceptable ID. Placing a request for a SIN card on this list is illegal, as would refusing to give a Blockbuster Card to someone who refused to provide it.
Very few Canadians are aware that it's a Federal Offence to ask for a SIN, so hopefully some
The missing ISM drive contained 300 SINs, possibly but not certainly encrypted.
Arrest is pending (Score:2)
(As was mentioned) the drive was in a secure area of ISM Canada, a division of IBM which provides data services for commercial clients.
Amongs those clients was the Government of Saskatchewan, and a number of provincial agencies.
The province was very forthcoming as to the agencies affected, and which kinds of information was on that particular drive, how many people are affected by each type of informaton, and has made public disclosure very quickly. Most of the government information was encrypted, but not all. For example, the names and addresses, and the electical consumption of customers from the November 2002 bill of an electric utility are there.
Coop Life and Investor's Group are the only two private firms who have admitted to being affected. ISM indicates an undisclosed number of private firms had information on the drive, but none of them have been willing to admit a thing. Investor's group has a bunch of files regarding mutual fund accounts on the drive.
The Government has called on all affected companies to make a public statement and indicate the nature of the infomation on the drive, but has no means to compel them to do so. Thus, they haven't.
Police indicate that based on the information they have from ISM, they do not believe the data can be easily accessed. Obviously, many Slashdotters could pull it off, given a bit of luck. This does imply, though, that we're not talking about Excel spreadsheets here.
An arrest is pending, and the drive has been recovered. Police state there is no indication the person had the means to access the drive's information.
Although time will tell, from the above and other information it appears the drive was taken by an employee or contractor who wanted to pop the "free" HD into his Windows box at home. ISM was in the midst of a hardware upgrade, and the drive was supposed to remain in secure until IT could secure-wipe and dispose of the drive.
The Province has indicated it is talking to it's legal advisers, and is exploring the option of a lawsuit against ISM.