[BreachExchange] Massive privacy breach at Public Services reveals workers' salaries

Fri Jun 2 18:55:22 EDT 2017

http://www.cbc.ca/news/politics/privacy-breach-therrien-public-services-
procurement-spreadsheet-personal-workers-1.4141297

The personal information of almost 13,000 public servants was exposed in
one of the largest ever privacy breaches at a federal government department.

The July 11, 2016, breach at Public Services and Procurement Canada (PSPC)
included the salary, age, reading-and-writing test results and other
private information of 12,901 employees — nearly everyone working in the
department, which employed 13,300 people at the time.

Also included was confidential employment-equity data of about 2,590
employees, such as whether they self-identified as a visible minority,
disabled or Indigenous.

The breach occurred when the human resources section attached a massive
spreadsheet to an unencrypted email, which was distributed to 180 people in
the department.

The breach had "the potential of serious injury to employees due to the
personal nature of the information," says an internal account, dated
February this year and obtained by CBC News under the Access to Information
Act.

"The breach was deemed to be the result of an inadvertent human error."

The department reported the breach to Canada's privacy commissioner, Daniel
Therrien, more than a month later, on Aug. 19, 2016. Employees themselves
were notified even later, by email, on Aug. 26 — six weeks after the fact.

Three complaints

"I can tell you that we received three complaints, all from affected
employees," said the commissioner's spokesperson, Tobi Cohen. "They were
resolved through our early resolution process to the satisfaction of
complainants in October 2016."

Cohen said the Privacy Act prevents the office from providing further
details.

A spokesperson for PSPC said the 180 people who received the unencrypted
spreadsheet had "appropriate" security clearance and were "instructed to
delete the email containing the report."

"The report was also purged from government systems," said Pierre-Alain
Bujold.

"To date, no reports have been received to indicate that personal
information has been used maliciously or left departmental systems as a
result of the breach," he said.

The July 2016 privacy breach was at least the third at PSPC in the space of
about a year. The first two breaches — which occurred between March and
July 2015, and February and April of 2016 — were the result of the wonky
Phoenix payroll system which has been underpaying, overpaying or not paying
federal workers.

The earlier breaches affected more workers — 300,000 — but the kind of
personal information exposed was relatively minor compared with the depth
of private information revealed in the latest incident, which included the
size of workers' paycheques.

Other breaches

Other federal government departments have a far worse record of privacy
breaches than PSPC, as detailed in last fall's annual report from Therrien,
which covered the period between April 1, 2015, and March 31, 2016. The
worst offenders were Veterans Affairs (84), Corrections Canada (50),
Immigration (47), the Canada Revenue Agency (21) and Employment and Social
Development (17).

Last month, CBC News reported on new privacy breaches at the Canada Revenue
Agency, including the largest ever involving a tax worker snooping on
taxpayers' files. The breaches occurred despite more than $10 million spent
to stop them.

One CRA employee improperly accessed the accounts of 38 taxpayers in
detail, and briefly accessed another 1,264 accounts using a search function
to find surnames and postal codes. The worker was fired after being caught
in March last year.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170602/0c205c03/attachment.html>