Dozens of people whose personal information was lost in a massive privacy breach got letters from the federal government letting them know – but the letters, marked “To be opened by addressee only,” were addressed to the wrong people.
Human Resources and Skills Development Canada intended to inform individuals their personal information was on a portable hard drive the department lost in November. The lost hard drive contained the social insurance numbers, names, birth dates, addresses and loan balances of roughly 583,000 borrowers from the Canada Student Loans Program.
But some individuals opened their letters to discover that they were addressed to the wrong person. Some envelopes contained an extra letter addressed to someone else, according to posts on a Facebook group about the privacy breach.
“Although now fully resolved, less than a hundred people may have received a double-stuffed letter as the result of a printer error,” HRSDC spokeswoman Alyson Queen said in an e-mail. “The letters did not include any personal information beyond name and address. Pre-paid envelopes have been sent to the concerned individuals so that they may return the copies of letters sent to them in error.”
Ms. Queen said the department sent letters “to all affected individuals for whom we had current contact information, in order to advise them of the incident and what steps to take to help protect their personal information.”
HRSDC is also encouraging everyone who borrowed from the Canada Student Loans Program between 2000 and 2006 to call a special hotline number, 1-866-885-1866 (1-416-572-1113 outside of North America) to determine whether their data was lost.
The department says there is no evidence that any of the lost personal information has been used for criminal purposes or identity theft. But it has set up some safeguards for those affected by the privacy breach, offering them a free credit notation service through Equifax Canada.
This service places a special note on their credit files indicating their data is at risk of compromise. Creditors who request information from Equifax will then have to request additional proof of identification from an individual making that request. The additional protection will be in place for up to six years.
HRSDC also suggests that people obtain a credit report from their credit agency to look for any unusual activity.
Several law firms are proposing a class action suit on behalf of individuals affected by the privacy breach, and are asking people to register their claims.