The theft of hard drives from a Yellowknife office – containing thousands of residents’ personal information – highlights “widespread” privacy failings at a GNWT department, a new report states.
The NWT’s information and privacy commissioner says the Department of Education, Culture and Employment “needs to create a workplace culture oriented to protecting privacy.”
Andrew Fox made the remark in a recently released review of a privacy breach that took place in March 2023, when an unknown person broke into the department’s offices at Lahm Ridge Tower and stole hard drives containing the personal information of nearly 3,000 people.
Fox said paper records containing the personal information of 79 people were also left out in plain view. The intruder was able to rifle through unlocked drawers and cabinets.
According to Fox, the department’s privacy measures fell short of GNWT standards and legal requirements.
Advertisement.
Advertisement.
“It appears that this insecure approach to client privacy was widespread within the office,” he wrote, adding that housekeeping staff would have had the same access to files as the intruder.
“In my view, it is fair to describe the situation as systemic inattention to information security throughout this workspace.”
How the breach happened
According to the review report, the break-in occurred early on the morning of March 16. Someone ransacked the Income Assistance and Student Financial Assistance offices, stealing keys, employees’ personal items, two cell phones and five hard drives.
While the building’s front doors had an electronic fob system, Fox said the intruder was able to open the doors without a fob. He said it appeared the only safeguards in place were those at the main doors.
Advertisement.
Advertisement.
Information relating to 2,987 people came to be on a hard drive because several years earlier, a government employee had wanted to take the data home and work on it outside business hours, Fox said. Data on the drive included names of people, their spouses and dependents, mailing addresses, birth dates, marital status, financial case reports, and social insurance and healthcare numbers.
The information was not de-identified or protected, Fox said, and when the break-in occurred, the hard drive was stored in an unlocked drawer in an unlocked office. The government had no way to access the hard drive remotely after it was stolen to remove the information or prevent access to it, he added.
Fox said the information had been used for two projects: an evaluation of childcare allowances provided to low-income families, and a review of cases where clients had previously received larger payments than they were entitled to.
The information should have been destroyed when the projects were completed, he said, as it was a duplicate of a folder on a network drive.
“Although somewhat dated, this is potentially very sensitive personal information and could potentially be used to pursue fraudulent activity involving identity theft,” Fox wrote.
“It could also cause humiliation or damage to reputation.”
What happened next
Fox said there is no evidence the information has been misused and the NWT government has not received any reports of identity theft or financial loss since the break-in.
There is no guarantee that won’t happen in the future, he noted.
Advertisement.
Advertisement.
Since the break-in, the review report states, the department has prohibited the use of unencrypted hard drives and plans to implement an electronic information system to securely manage files.
Staff who work overtime are now required to stay on site or use work laptops through an authorized VPN. The department also mandated privacy training for employees and implemented a “clean desk principle,” requiring paper records to be kept in locked drawers and cabinets when not in use.
However, six months after the break-in, Fox said only 69 percent of its employees had completed mandatory training, adding that “this percentage should be much higher.”
“It is obvious that the public body needed a shift in workplace culture to prioritize protection of personal information,” he wrote.
