The B.C. Government is warning of a data breach that could affect more than three million people.
A misplaced backup hard drive contained personal information of students who attended schools in B.C. and the Yukon from 1986 to 2009.
Technology, Innovation and Citizens’ Services Minister Amrik Virk announced on Tuesday a review will be held in the wake of this incident to do everything possible to protect personal information and prevent privacy breaches.
In total, the missing hard drive contains about 3.4 million education records tied to people between 1986 and 2009, and includes their names, postal codes, grades and personal education numbers.
The Service BC info line will be able to help British Columbians and others find out if their information is on the drive, and if so, what sort of information it would be.
People can call Service BC and note they attended K-12 or post-secondary school. The contact centre is open Monday to Friday from 7:30 a.m. to 5 p.m. and can be reached by calling:
- Victoria: 250-387-6121
- Vancouver: 604-660-2421
- Elsewhere in B.C.: 1-800-663-7867
There are also a smaller number of records in files on the hard drive that include more sensitive personal information, such as:
- 825 survey results from 2003 of teachers aged 53 or older on their retirement plans.
- 1,052 personal education numbers, birth years, and grad dates for cancer survivors from a study on their education outcomes.
- 9,273 personal education numbers connected to children in the care of the Ministry of Children and Family Development before 2006-07, including information such as health and behaviour issues and supervision status.
Officials say this sensitive information could be connected to names by comparing the personal education numbers to names through the larger data file.
WATCH: BC Teachers’ Federation president Jim Iker talks about the disappearance of a hard drive that could affect more than three million people.
“British Columbians expect us to ensure their information is safe – and this is an incident that should have never happened,” said Virk.
“I have directed the province’s chief information officer to undertake a review to make sure that our privacy protection policies and procedures are as robust as they possibly can be. The Ministry of Education will be the first ministry to be examined as part of this cross-government review. British Columbians deserve the highest standards of information management.”
The government has no indication that data from the missing hard drive has been accessed or used, and says the risk to individuals is thought to be low because the data on the missing hard drive does not contain financial or banking information, social insurance numbers or driver’s licence numbers.
Privacy watchdogs say it may not be that simple.
The government says all files related to student records are still with the government and it is important to note the files on these missing hard drives were backups.
Ryan St. Hilaire, vice president of product management at Absolute, said in a statement that this breach could cause more damage due to cybercriminal interest in the data.
The data that is now at risk was probably considered to be benign when it was originally stored on the missing hard drive, however we have seen cybercriminals leverage data from this kind of breach, in order to successfully perform more significant and damaging attacks in the future.
This case points to the significance computer hardware plays in storing and protecting data. Whether it be external hard drives or mobile devices, organizations entrusted with public and personal information must treat these endpoints as critical attack surfaces and extend security measures to include devices that are on the network, off the network, and yes – even in storage.