Oh, Canada! USB drives with information on 2 million voters are missing

By | July 18, 2012

Posted in: Network Security Trends

The news is out, nearly three months after the fact, that two unencrypted USB drives containing personal information on some two million voters in Ontario  ̶  the largest data breach in Ontario history  ̶  is missing. Disappeared. Gone. These kinds of cases keep popping up, seemingly without relent. Someone hasn’t gotten the memo.

A word about large quantities of sensitive information on USB drives, laptops, iPads, Androids etc: Don’t do it. If you must, then encrypt the data and be sure the keys are not available in plain text on the same device. Then, think about it and don’t do it. Large amounts of sensitive data belong in databases, encrypted, with strong access controls  ̶  that means separation of duties, so you only get to see the data if you need to, and multifactor authentication.

“There are only three things that can happen when you pass,” said Woody Hayes, legendary coach of Ohio State, “and two of them ain’t good.” The same thing can be said of large volumes of sensitive data on portable devices:  The data can be lost. It can be stolen. It can remain safe.

The reason for putting all that data on a USB drive is convenience. Is it worth the risk?

Canadian officials say there’s no evidence that the data has been misused. Well, they are not even sure whose names, addresses, gender, birthdates and so on are on the drives. How would they know who’s had a credit card taken out or gotten a phishing message or been “friended” by some not-really-friendly person on Facebook? The same officials point out that the data is in a proprietary application format, so reading it would require the application or highly skilled programmer using commercial software. That’s good; it means someone is going to have to work to access it, unless they have access to the application.

What if the persons responsible for the loss sold or used the information themselves? We just don’t know.

The drives have been missing since April26. They were used because the laptops belonging staff responsible for updating the voter registry did not have Internet connections. If they had, we might be talking about stolen laptops with two million unencrypted names.

There was an internal investigation, then an outside forensics team was called in to assist. Then the police were called in. The investigation, as they say, is ongoing. Why does a government agency wait that long to call the cops?

Ontario’s chief electoral commissioner, Greg Essena, advises all Ontarians to watch for "potential unusual activity" regarding any transactions with the province, banks, utilities and retailers. Would’ve been nice to be on the watch a couple of months ago. Why is the public being notified nearly three months after the fact?

It seems these cases are always followed by a lot of : It’s not that bad; there’s no evidence the data has been misused; we’re advising people to be cautious and, my favorite, someone didn’t follow policy. What it really means is we never expected to happen to us.

You May Also Be Interested In: