SUCKS!!! 120,000 Canadians' Personal Data Stolen... - GoFuckYourself.com

Greg B · 09-30-2003, 11:12 PM

This bites ass... somebody stole a server from a company and it had 120,000 canadian citizen's info on it and it wasn't encrypted..
Is dese' you???

http://www.itbusiness.ca/index.asp?t...id=1&sid=53591

CCRA loses data on 120,000 Canadians in server theft

9/30/2003 5:00:00 PM - A database from a Quebec office containing personal information on individuals in the construction industry is stolen following a break-in. Critics ask: Why wasn't anything encrypted?

by Shane Schick

Canadian security experts lambasted the Canada Customs and Revenue Agency Tuesday over the lack of encryption to protect the personal data of more than 120,000 individuals that was lost when one of its servers was stolen from a regional office.

The CCRA admitted the breach weeks after its Quebec Tax Service office was broken into on Sept. 4. Local police in Laval, Que. are working with the RCMP on the case, an official said, while the CCRA is conducting an internal review of its processes. One of the four stolen servers contained a database with unencrypted information including names, dates of birth, social insurance numbers and home addresses but not personal income tax information, according to the CCRA. Most of the records included T-5018s, a document similar to a T4 , that contractors and sub-contractors have had to file since 1999.

The database spanned records from 1999 to 2001. Approximately 94,000 of those affected were in the construction industry. The rest of the records contained information on employment insurance and Canada Pension Plan Rulings on contract and independent workers.

CCRA spokesman Dominque McNeely said it did not want to make the information public until it had contacted those affected by letter.

"We had to check to make sure we were contacting the right clients," he said. "It did take us a while, but we had to make literally millions of calls and checks within our system."

McNeely said the servers were not contained in their usual locked room at the time of the theft. "It was in our office, which is protected by an alarm system, but most police agencies will concur that it is practically impossible to stop a determined thief," he said. "We could talk about human error, but it's not like we left them the front lawn."

The CCRA has put a 24-hour security guard on patrol at the office since the incident, McNeely said, and bars are being installed on the ground floor where a window was smashed.

"Our servers aren't encrypted," he said. "They're only password-protected because if our servers were encrypted it would slow down our operations to a point where it just wouldn't be workable. That's why we keep them locked in a more secure room."

Critics said there is no excuse in today's environment for claiming that reasonable encryption has a performance problem on IT equipment.

"That's utter, unmitigated nonsense," said Mich Kabay, associate professor in the department of computer information systems at Norwich University in Northfield, Va. "You can use perfectly reasonable key lengths with off-the-shelf encryption software and do a reasonable job of interfering with all but a systematic, government-sponsored cracking attempt."

Paul K. Wing, a Toronto-based independent security consultant and the former head of IT at Scotiabank, said there are known techniques using digital certificates that enable organizations to separate the personal data and transactional history onto different servers.

"The government hasn't shown enough leadership around how to protect data that's stored and how to anonomize data," he said. "You don't have to have files of data sitting on a database that have my name and address and the things that link to me."

The incident marks the second time this year a CCRA office has lost confidential information. In February, a server along with eight laptops containing information on 538 income assistance clients was stolen from a two-storey Coquitlam, B.C. CCRA location. In that case, the CCRA had backup files and the government said service wasn't interrupted, but it did prompt a review of the B.C. government's plan to place management of its IT infrastructure under the Ministry of Management Services.

The data and physical security of CCRA facilities has frequently attracted the concern of privacy experts, given the vast array of information the agency holds. In April, for instance, the CCRA agreed to reduce the amount of information from its database of travel information with other government departments under pressure from former Privacy Commissioner of Canada George Radwanski. Containing more than 30 data elements -- including where and with whom citizens travel, payment for tickets and contact information -- the database was sometimes used to monitor Canadians for possible tax infractions or other criminal activity.

Two weeks ago, the CCRA discussed a program called CANPASS whereby Canadians could speed their entry through customs by undergoing a thorough background check and recording biometric information including a scan of their iris for identification purposes.

Kabay, who once taught information security courses for the Institute for Government Informatics Professionals of the Government of Canada, said there is a growing list of identity theft incidents at governments around the world similar to those suffered by the CCRA.

"There is a general lack of awareness of the dangers around physical access to devices," he said. "But more important, encryption is not generally widespread. This is pity, because it's . . . a relatively trivial matter to enable an encrypting file system."

Wing, who recently authored the book Protecting Your Money, Privacy and Identity From Loss and Misuse, argued that policy around encryption, like the number of custodians in charge of a particular key, may be the bigger issue.

"Encryption is an effective technical control, but the encryption is only as good as the management process around it," he said. "If someone's determined to get to the identities of 100,000 Canadians, then one more step of trying to get at that encryption may not be a deterrent to them."

The CCRA has created a toll-free number that it has provided with a letter to all those affected by the server theft.

Comment: [email protected]

MattO · 09-30-2003, 11:14 PM

summarize please

asuna · 09-30-2003, 11:18 PM

Stupid quebec

Reak · 09-30-2003, 11:21 PM

That's fucked up

Dildozer · 09-30-2003, 11:34 PM

goddamnit!!!

my whole family's in the construction industry...

Stud Money · 09-30-2003, 11:36 PM

Adrien Gérard
Aimé Georges
Alain Gaston
Alexandre Gabriel
Alexis Frédéric
Alfred Franck
Amaury Eugène
André Étienne
Antoine Éric
Anton Emmanuel
Arnaud Émile
Arthur Édouard
Benjamin Didier
Benoît Denis
Bernard David
Bertrand Daniel
Bruno Claude
Christian Christian
Claude Bruno
Daniel Bertrand
David Bernard
Denis Benoît
Didier Benjamin
Dominique Auguste
Édouard Arthur
Émile Arnaud
Emmanuel Anton
Éric Antoine
Étienne André
Eugène Amaury
Franck Alfred
Frédéric Alexis
Gabriel Alexandre
Gaston Alain
Georges Aimé
Gérard Adrien

Thats a sample of the names - I sale full canuck personal details list

Jimbo · 09-30-2003, 11:40 PM

I don'T know what CCRA is so I guess I'm all fine

grogan · 09-30-2003, 11:40 PM

canadians personal info is worthless.

Dildozer · 09-30-2003, 11:42 PM

Quote:

Originally posted by Stud Money
Adrien Gérard
Aimé Georges
Alain Gaston
Alexandre Gabriel
Alexis Frédéric
Alfred Franck
Amaury Eugène
André Étienne
Antoine Éric
Anton Emmanuel
Arnaud Émile
Arthur Édouard
Benjamin Didier
Benoît Denis
Bernard David
Bertrand Daniel
Bruno Claude
Christian Christian
Claude Bruno
Daniel Bertrand
David Bernard
Denis Benoît
Didier Benjamin
Dominique Auguste
Édouard Arthur
Émile Arnaud
Emmanuel Anton
Éric Antoine
Étienne André
Eugène Amaury
Franck Alfred
Frédéric Alexis
Gabriel Alexandre
Gaston Alain
Georges Aimé
Gérard Adrien

Thats a sample of the names - I sale full canuck personal details list

hmmm those are all first names lol

Jimbo · 09-30-2003, 11:44 PM

Quote:

Originally posted by grogan
canadians personal info is worthless.

you little pizza pretzel man...

Stud Money · 09-30-2003, 11:46 PM

Quote:

Originally posted by Dildozer

hmmm those are all first names lol

What can i say but, damn canucks

KaLi · 09-30-2003, 11:53 PM

Well, One more reason to move to CA..

marty · 09-30-2003, 11:54 PM

What's the big deal?

They all sleep with their sisters so that's no secret.

nutzella · 10-01-2003, 02:20 AM

It wont be long before one of these clowns steals the wrong persons info and ends up pushing up daisies

footsex · 10-01-2003, 02:39 AM

Quote:

Originally posted by nutzella
It wont be long before one of these clowns steals the wrong persons info and ends up pushing up daisies

are you paying attention? this is Canada were talking about!

09-30-2003, 11:12 PM	#1
Greg B So Fucking Banned Join Date: Jul 2001 Location: EARTH (for the time being) Posts: 7,014	SUCKS!!! 120,000 Canadians' Personal Data Stolen... This bites ass... somebody stole a server from a company and it had 120,000 canadian citizen's info on it and it wasn't encrypted.. Is dese' you??? http://www.itbusiness.ca/index.asp?t...id=1&sid=53591 CCRA loses data on 120,000 Canadians in server theft 9/30/2003 5:00:00 PM - A database from a Quebec office containing personal information on individuals in the construction industry is stolen following a break-in. Critics ask: Why wasn't anything encrypted? by Shane Schick Canadian security experts lambasted the Canada Customs and Revenue Agency Tuesday over the lack of encryption to protect the personal data of more than 120,000 individuals that was lost when one of its servers was stolen from a regional office. The CCRA admitted the breach weeks after its Quebec Tax Service office was broken into on Sept. 4. Local police in Laval, Que. are working with the RCMP on the case, an official said, while the CCRA is conducting an internal review of its processes. One of the four stolen servers contained a database with unencrypted information including names, dates of birth, social insurance numbers and home addresses but not personal income tax information, according to the CCRA. Most of the records included T-5018s, a document similar to a T4 , that contractors and sub-contractors have had to file since 1999. The database spanned records from 1999 to 2001. Approximately 94,000 of those affected were in the construction industry. The rest of the records contained information on employment insurance and Canada Pension Plan Rulings on contract and independent workers. CCRA spokesman Dominque McNeely said it did not want to make the information public until it had contacted those affected by letter. "We had to check to make sure we were contacting the right clients," he said. "It did take us a while, but we had to make literally millions of calls and checks within our system." McNeely said the servers were not contained in their usual locked room at the time of the theft. "It was in our office, which is protected by an alarm system, but most police agencies will concur that it is practically impossible to stop a determined thief," he said. "We could talk about human error, but it's not like we left them the front lawn." The CCRA has put a 24-hour security guard on patrol at the office since the incident, McNeely said, and bars are being installed on the ground floor where a window was smashed. "Our servers aren't encrypted," he said. "They're only password-protected because if our servers were encrypted it would slow down our operations to a point where it just wouldn't be workable. That's why we keep them locked in a more secure room." Critics said there is no excuse in today's environment for claiming that reasonable encryption has a performance problem on IT equipment. "That's utter, unmitigated nonsense," said Mich Kabay, associate professor in the department of computer information systems at Norwich University in Northfield, Va. "You can use perfectly reasonable key lengths with off-the-shelf encryption software and do a reasonable job of interfering with all but a systematic, government-sponsored cracking attempt." Paul K. Wing, a Toronto-based independent security consultant and the former head of IT at Scotiabank, said there are known techniques using digital certificates that enable organizations to separate the personal data and transactional history onto different servers. "The government hasn't shown enough leadership around how to protect data that's stored and how to anonomize data," he said. "You don't have to have files of data sitting on a database that have my name and address and the things that link to me." The incident marks the second time this year a CCRA office has lost confidential information. In February, a server along with eight laptops containing information on 538 income assistance clients was stolen from a two-storey Coquitlam, B.C. CCRA location. In that case, the CCRA had backup files and the government said service wasn't interrupted, but it did prompt a review of the B.C. government's plan to place management of its IT infrastructure under the Ministry of Management Services. The data and physical security of CCRA facilities has frequently attracted the concern of privacy experts, given the vast array of information the agency holds. In April, for instance, the CCRA agreed to reduce the amount of information from its database of travel information with other government departments under pressure from former Privacy Commissioner of Canada George Radwanski. Containing more than 30 data elements -- including where and with whom citizens travel, payment for tickets and contact information -- the database was sometimes used to monitor Canadians for possible tax infractions or other criminal activity. Two weeks ago, the CCRA discussed a program called CANPASS whereby Canadians could speed their entry through customs by undergoing a thorough background check and recording biometric information including a scan of their iris for identification purposes. Kabay, who once taught information security courses for the Institute for Government Informatics Professionals of the Government of Canada, said there is a growing list of identity theft incidents at governments around the world similar to those suffered by the CCRA. "There is a general lack of awareness of the dangers around physical access to devices," he said. "But more important, encryption is not generally widespread. This is pity, because it's . . . a relatively trivial matter to enable an encrypting file system." Wing, who recently authored the book Protecting Your Money, Privacy and Identity From Loss and Misuse, argued that policy around encryption, like the number of custodians in charge of a particular key, may be the bigger issue. "Encryption is an effective technical control, but the encryption is only as good as the management process around it," he said. "If someone's determined to get to the identities of 100,000 Canadians, then one more step of trying to get at that encryption may not be a deterrent to them." The CCRA has created a toll-free number that it has provided with a letter to all those affected by the server theft. Comment: [email protected]

09-30-2003, 11:18 PM	#3
asuna Confirmed User Join Date: May 2002 Location: Montreal Posts: 8,743	Stupid quebec __________________

09-30-2003, 11:34 PM	#5
Dildozer Confirmed User Join Date: Jul 2002 Location: Montreal Posts: 7,519	goddamnit!!! my whole family's in the construction industry... __________________ Spam link here

09-30-2003, 11:40 PM	#7
Jimbo Confirmed User Industry Role: Join Date: Oct 2001 Location: Montreal Posts: 3,989	I don'T know what CCRA is so I guess I'm all fine __________________ free sex videos

09-30-2003, 11:53 PM	#12
KaLi Confirmed User Industry Role: Join Date: Aug 2003 Location: Lomita, CA Posts: 4,371	Well, One more reason to move to CA.. __________________ icq:160-417-630

09-30-2003, 11:14 PM	#2
MattO The O is for Oohhh Join Date: Feb 2003 Location: AUSTIN TEJAS Posts: 10,861	summarize please

09-30-2003, 11:21 PM	#4
Reak So Fucking Banned Join Date: Mar 2003 Location: 420Calendar.com Posts: 17,920	That's fucked up

09-30-2003, 11:36 PM	#6
Stud Money So Fucking Banned Join Date: Sep 2003 Location: Somewhere between my monitor and my chair Posts: 3,214	Adrien Gérard Aimé Georges Alain Gaston Alexandre Gabriel Alexis Frédéric Alfred Franck Amaury Eugène André Étienne Antoine Éric Anton Emmanuel Arnaud Émile Arthur Édouard Benjamin Didier Benoît Denis Bernard David Bertrand Daniel Bruno Claude Christian Christian Claude Bruno Daniel Bertrand David Bernard Denis Benoît Didier Benjamin Dominique Auguste Édouard Arthur Émile Arnaud Emmanuel Anton Éric Antoine Étienne André Eugène Amaury Franck Alfred Frédéric Alexis Gabriel Alexandre Gaston Alain Georges Aimé Gérard Adrien Thats a sample of the names - I sale full canuck personal details list

09-30-2003, 11:40 PM	#8
grogan So Fucking Banned Join Date: Feb 2001 Location: CHICAGO Posts: 2,284	canadians personal info is worthless.

09-30-2003, 11:54 PM	#13
marty Confirmed User Join Date: Feb 2002 Posts: 1,656	What's the big deal? They all sleep with their sisters so that's no secret.

10-01-2003, 02:20 AM	#14
nutzella So Fucking Banned Join Date: Oct 2003 Location: New Mexico Posts: 40	It wont be long before one of these clowns steals the wrong persons info and ends up pushing up daisies