B.C. student data breach could affect more than 3 million people

The B.C. Government is warning of a data breach that could affect more than three million people.

A misplaced backup hard drive contained personal information of students who attended schools in B.C. and the Yukon from 1986 to 2009.

Technology, Innovation and Citizens’ Services Minister Amrik Virk announced on Tuesday a review will be held in the wake of this incident to do everything possible to protect personal information and prevent privacy breaches.

In total, the missing hard drive contains about 3.4 million education records tied to people between 1986 and 2009, and includes their names, postal codes, grades and personal education numbers.

The Service BC info line will be able to help British Columbians and others find out if their information is on the drive, and if so, what sort of information it would be.

Story continues below advertisement

People can call Service BC and note they attended K-12 or post-secondary school. The contact centre is open Monday to Friday from 7:30 a.m. to 5 p.m. and can be reached by calling:

  • Victoria: 250-387-6121
  • Vancouver: 604-660-2421
  • Elsewhere in B.C.: 1-800-663-7867

There are also a smaller number of records in files on the hard drive that include more sensitive personal information, such as:

  • 825 survey results from 2003 of teachers aged 53 or older on their retirement plans.
  • 1,052 personal education numbers, birth years, and grad dates for cancer survivors from a study on their education outcomes.
  • 9,273 personal education numbers connected to children in the care of the Ministry of Children and Family Development before 2006-07, including information such as health and behaviour issues and supervision status.

Officials say this sensitive information could be connected to names by comparing the personal education numbers to names through the larger data file.

WATCH: BC Teachers’ Federation president Jim Iker talks about the disappearance of a hard drive that could affect more than three million people.

“British Columbians expect us to ensure their information is safe – and this is an incident that should have never happened,” said Virk.

Story continues below advertisement

“I have directed the province’s chief information officer to undertake a review to make sure that our privacy protection policies and procedures are as robust as they possibly can be. The Ministry of Education will be the first ministry to be examined as part of this cross-government review. British Columbians deserve the highest standards of information management.”

The government has no indication that data from the missing hard drive has been accessed or used, and says the risk to individuals is thought to be low because the data on the missing hard drive does not contain financial or banking information, social insurance numbers or driver’s licence numbers.

Privacy watchdogs say it may not be that simple.

“When you consider how deeply intimate some of this information is – mental health records, records of children when they were in care – it’s no wonder that a lot of people right across this province are going to be very worried about where this information is [and] whether it has fallen into the wrong hands,” says David Christopher of OpenMedia.

The government says all files related to student records are still with the government and it is important to note the files on these missing hard drives were backups.

Ryan St. Hilaire, vice president of product management at Absolute, said in a statement that this breach could cause more damage due to cybercriminal interest in the data.

Story continues below advertisement

The data that is now at risk was probably considered to be benign when it was originally stored on the missing hard drive, however we have seen cybercriminals leverage data from this kind of breach, in order to successfully perform more significant and damaging attacks in the future.

This case points to the significance computer hardware plays in storing and protecting data. Whether it be external hard drives or mobile devices, organizations entrusted with public and personal information must treat these endpoints as critical attack surfaces and extend security measures to include devices that are on the network, off the network, and yes – even in storage.

Sponsored content