Missing Hard Drive Spurs Data-Theft Fears In Canada

DevNull writes "A government of Saskatchewan (Canada) hard drive has gone missing, and it contains significant personal data - in fact, the government won't even detail what all is contained in it. Read about it from the CBC. So much for people who think the internet is the cause of all their security fears! Identity theft is the major concern at the moment." B5_geek links to this report on Bloomberg.com which says that "'[t]he information includes names, addresses, beneficiaries, social insurance numbers, pension values, pre-authorized checking information and mothers' maiden names," according to Co-operators Chief Executive Kathy Bardswick

It was encrypted, wasn't it?

[Anonymous Coward]

REGINA - Thousands of Canadians across the country are being cautioned that a computer hard drive missing for two weeks from a Regina office contains their personal data. Saskatchewan government officials fear the data could be misused.

And people give de Raadt a hard time for encrypting the swap file...

Ugh

[Blkdeath]

I'm glad I don't have a policy with these people. It sucks when you go to certain lengths of care with whom you share your personal data and it gets stolen anyways.

Security, security, security, people. It's my (and your) information we're dealing with here. I'd sooner it not be put in the hands of the lowest bidder, Thankyouverymuch.

Re:Ugh

[Smokey]

Security, security, security, people

And let's not forget PHYSICAL security, somebody had to go in, remove the hard drive from the computer (I assume it was in active use..) and walk out with it.

Re:Ugh

[CyberDong]

I'm glad I don't have a policy with these people.

That doesn't mean they're not reinsuring you though... Insurance companies spread the risk around. One company will reinsure another company's policies.

A global ID

[noitalever]

I've seen countless things in the news lately, and am really getting the feeling that at some point we are going to *have* to have a global, secure ID. A lot like the SSN's of today for america, but with two parts, one part that is on the internet, and one part on a random number generator of some sort that we keep on our person. That way, the internet information is useless.

Like it or not, at some point it seems like EVERONE's data gets stolen. I'm uber-paranoid about giving my info to anyone, but I KNOW that there is info floating around the internet about me that someone could use to steal my identity. Is anyone working on a two part identity sytem like this that isn't proprietary?

Shawn

Re:A global ID

[AndrewRUK]

I'd rather not have a single ID system, because with lots of different logins details, if one of them gets comprimised, then it's just that one account that's lost, whereas if a single ID is used and that gets stolen, well, that's your id for everything gone. Not relying on one single id system is, imho, an important part of protecting your id, because that makes you less vulnerable to id theft.

A global ID would be worse...

[wbm6k]

A large contributing factor to identity theft in the US is the ubiquity of the SSN. Basically, with that and an address, all sorts of bad problems start happening.

Seems like a global ID would just be that much worse: a new target that is even better than the SSN in the hands of thieves.

So, I agree with the parent that

Not relying on one single id system is, imho, an important part of protecting your id, because that makes you less vulnerable to id theft.

Yeah, it makes things more complex for govenrments (and even for us poor slobs with more things to remember), but a single target is just too tempting to criminals.
(cough... windows viruses... /cough)

If found, send to...

[misfit13b]

...oh, forget it, you already have the address.

;^)

Physical security is important too...

[Syncdata]

Just ask the CIA/FBI/Lawrence livermore cats who couldn't seem to hang onto a laptop from 1996-2000. It's all fine and good if your system is cracker proof, but do try to keep an eye on it.
Software security means squat diddly if someone can just pop the HDD in as a slave.

Re:Physical security is important too...

[Gortbusters.org]

This is often overlooked... I think most security threats are not at some l33t hax0r coming in through the firewall and compromising many systems to get to the data, rather it's the system administrator who leaves his office door open and computer unsecure.

On a side note, anyone involved in a company with layoffs... did you lock your door in fear of disgruntled employees going on a shopping-spree in your office? Heh.

The Co-Operators

[Hadean]

The drive contained a list of members, the information above and credit card numbers of members of the Co-Operators Life insurance company [cooperators.ca].

Check out this article [canada.com] (Regina Leader Post).

(OT: Have you noticed that there are more and more threads on Slashdot that has less then 10 comments? Hmmm...)

Re:The Co-Operators

[Scarblac]

(OT: Have you noticed that there are more and more threads on Slashdot that has less then 10 comments? Hmmm...)

If you have the "collapse sections" option on, you get to see all the stories that are in other sections but not officially on the front page. Those are seen by a lot fewer people (those that look at the section, and people with that option on).

Now I also use the option and I know no easy way to tell if this story is on the front page, but judging from the number of comments it probably isn't.

This company is an IBM subsidiary

[dl248]

This is a case where the work has been farmed out to ISM, which is a subsidiary of IBM. It's not the government's fault, but ISM/IBM who are to blame here.

The amount and detail of data makes this a SCARY situation.

Contracts

[Detritus]

What level of data protection was specified in the contract? It's easy to blame ISM/IBM but I've worked on too many government contracts where the staffing and funding was totally inadequate to do everything the right way.

so?

[3-State Bit]

It was encrypted, right?

I mean, these days any schmo with an iBook goes /Applications/Utilities/Disk Copy, clicks File | New | Blank Image and chooses a name for the file, the desktop for its location, and AES 128 for encryption (recommended).

Then just unmount the drive image (drag it in the finder from your desktop to the trash -- which will turn into an eject button) before you leave your computer for the day, or whenever somebody's using it who shouldn't have access to the contents of that drive -- even if they're using your account, cuz' you're letting them sit at your computer.

Double-clicking the drive image prompts for a password (don't check 'save to keyring') before mounting it and once more you're good to go.

You don't even ever have to turn your computer off.

Um, yeah. (Eyes dart around the room looking for a way not to receive a bunch of off-topic downmods. Um....)

Wait! Got it!

"You know, this wouldn't happen if hard-drives were encrypted by default, and the OS needed a password from the HARDWARE (or a hash) such that on bootup if your configuration is different radically from what it was before, your valuable information becomes unreachable.

Oh wait, XP does this already.."

Re:so?

[treat]

Oh wait, XP does this already.."

It can? Linux can't. (well, maybe with some nonstandard kernel patch that causes your machine to crash more often than Windows 95).

Re:so?

[technos]

Windows doesn't do it. Some versions of Windows just make it so the system won't boot. Anti piracy feature. He might as well have claimed Linux was superior, because through a series of bad choices when compiling a kernel you can pretty well lock it to a machine.

But say you did steal a XP install and needed to get data off it.

Pop in a XP Pro CD, tell it to repair the existing install, enter a new license key.
Use any one of the dozen or so ways of gaining admin from there.

Wonder if the old ring-0 exploits still work..

Re:so?

[kendric]

Actually, the data was encrypted. The thing is, this computer was not exacly sitting out in the open. To get to where this computer was stolen, one needs about 3 passwords, and a code card; in other words, this was an inside job. The person who stole the computer probably has the key to decrypt the data.

Re:so?

[Detritus]

I've wondered why encryption isn't a standard feature in IDE hard disks. It would be so simple for the controller to encrypt everything written to the disk. IBM has passwords in some of their laptop hard drives. You can't pull the drive, connect it to another PC, and access the disk without the correct password.

Re:so?

[hcdejong]

Are you crazy? Doing that would add all of $1 to the cost of the drive. We can't possibly afford that! It's much more important to lower the price some more than to stop and think about adding features.

the real threat

[sirsampson]

We all know that the real threat is those 31337 skr1p7 k1ddiez and no other threat

At least that is what *they* keep telling us. You do believe them, right?

heh heh

More Info:

[Nos.]

SASK CBC [sask.cbc.ca]. I work about 100 Yards from ISM's building (the folks responsible for the lost drive).

Some interesting things have been reported in the media around here. Some have said the data was encrypted, and that it was unlikely that anyone could get the data. If it was encrypted with anything recent, it would be near impossible to get the information off of it. If I were talking to the media and new it was encrypted

It was also mentioned that information was in a database, and the tables couldn't be linked very easily... but who really knows.

Re:More Info:

[Jeff Fisher]

I work about 4 yards from this punk -- I wouldn't listen to him. He's making fun of me as I type this.

I'm pretty sure if the hard drive was encrypted with something legitimate they would be all over the news announcing this. I highly doubt it was encrypted using anything other than ROT13.

Also contained Investor's Group info

[jules_d'entremont]

Investor's Group [investorsgroup.ca] has issued this press release [investorsgroup.ca] stating that Investor's Group client information was also contained on the stolen hard disk. After talking to my local IG representative, I was told the information was used to print monthly statements and included names, addresses, and investment details but did not include Social Insurance Numbers. Sort of scary to hear that information from a variety of different financial institutions was all contained on one hard disk.

Re:Also contained Investor's Group info

[gordguide]

For our US readers:
Social Insurance Numbers (SIN) are similar to Social Security Numbers. They are used for dealing with government agencies (Income Tax, Employment Insurance [read: Unemployment Insurance], etc).

You are required to provide a SIN to your employer, and to relevant government agencies. Financial institutions, such as Banks and Credit granting agencies, can ask you for your SIN, but you are not compelled to provide it, and they cannot penalize you in any way for not providing it.

It is illegal in Canada to ask for a SIN if you are not one of the above listed. There is no crime in having customer data that includes an individual's SIN, but it must be volunteered, unprompted.

It is very common for US branch companies to treat a SIN as they do a Social Security Card; go to Blockbuster in Canada and you may find a sign saying it is one of their very short list of acceptable ID. Placing a request for a SIN card on this list is illegal, as would refusing to give a Blockbuster Card to someone who refused to provide it.

Very few Canadians are aware that it's a Federal Offence to ask for a SIN, so hopefully some /. readers will be enlightened north of '49.

The missing ISM drive contained 300 SINs, possibly but not certainly encrypted.

Arrest is pending

[gordguide]

Since information on this issue seems to be a bit lacking, I will try and fill in some of the details.

(As was mentioned) the drive was in a secure area of ISM Canada, a division of IBM which provides data services for commercial clients.

Amongs those clients was the Government of Saskatchewan, and a number of provincial agencies.

The province was very forthcoming as to the agencies affected, and which kinds of information was on that particular drive, how many people are affected by each type of informaton, and has made public disclosure very quickly. Most of the government information was encrypted, but not all. For example, the names and addresses, and the electical consumption of customers from the November 2002 bill of an electric utility are there.

Coop Life and Investor's Group are the only two private firms who have admitted to being affected. ISM indicates an undisclosed number of private firms had information on the drive, but none of them have been willing to admit a thing. Investor's group has a bunch of files regarding mutual fund accounts on the drive.

The Government has called on all affected companies to make a public statement and indicate the nature of the infomation on the drive, but has no means to compel them to do so. Thus, they haven't.

Police indicate that based on the information they have from ISM, they do not believe the data can be easily accessed. Obviously, many Slashdotters could pull it off, given a bit of luck. This does imply, though, that we're not talking about Excel spreadsheets here.

An arrest is pending, and the drive has been recovered. Police state there is no indication the person had the means to access the drive's information.

Although time will tell, from the above and other information it appears the drive was taken by an employee or contractor who wanted to pop the "free" HD into his Windows box at home. ISM was in the midst of a hardware upgrade, and the drive was supposed to remain in secure until IT could secure-wipe and dispose of the drive.

The Province has indicated it is talking to it's legal advisers, and is exploring the option of a lawsuit against ISM.