Elections Ontario yesterday announced that two USB drives were lost that contained information on as many as 2.4 million Canadians.
"In a statement [PDF file] issued July 17, Chief Electoral Officer Greg Essensa says that the two USB keys contained information on voters in 20 to 25 electoral districts," writes GovInfoSecurity's Jeffrey Roman. "There are 107 electoral districts in Ontario. A spokesperson for Elections Ontario says some laptops used by staff were not connected to the organization's network, so the USB drives were used to transfer information among those laptops. The potentially compromised information includes full name, gender, date of birth, address, as well as administrative codes used solely for election purposes and any other personal information updates provided to Elections Ontario by voters during the last election period, the statement says."
"Elections Ontario stressed that protocol was not followed in this instance," writes The Globe and Mail's Caroline Alphonso. "Its policies dictate that USB keys must be password protected and encrypted if they carry personal information, and that the keys must be in the custody of staff at all times. In this particular case, two staff members, who were working in a warehouse in late April updating the permanent register of electors for Ontario, did not follow the the rules. The two were supposed to secure the USB keys at the end of the work day, but failed to do so. The next morning when they returned to work, the keys were gone."
"That prompted Elections Ontario to conduct a search, an internal investigation and then a third-party review," writes The Toronto Sun's Debora Van Brenk. "Forensic security firm Inkster Incorporated discovered several flaws, including that standard data-security steps had been overlooked or ignored; encryption software available on the drives hadn’t been activated; and information was often transferred back and forth between secure laptops and insecure portable drives. In addition, all staff members shared the same default password until after the USB sticks went missing -- something Inkster said called 'a poor practice and a security risk.'"
"The agency is recommending that voters in the affected districts monitor and verify their personal transaction statements from governments, financial institutions, businesses and other institutions to detect any unusual activity," Infosecurity reports.