2.4 million Ontario voter records missing

July 19, 2012 by CHARMAINE NORONHA

(AP) — A privacy breach involving as many as 2.4 million voters after memory sticks containing their personal information vanished from an elections warehouse is "deeply disturbing" and could lead to identity theft on a massive scale, Ontario's privacy commissioner said Wednesday.

Ann Cavoukian said the breach is the largest and most serious she has seen during her 25-year tenure.

"The potential for the misappropriation of the data is huge," she said. "You just don't know what might happen to it. Identity theft is what comes to mind because when someone has your accurate information in terms of a full name, address and date of birth, the things that people can do is very powerful, taking out things in your name, sending you phishing things, it's very powerful."

The head of Elections Ontario said two memory sticks went missing in April containing copies of collected from up to 2.4 million voters in up to 25 districts in Ontario.

Greg Essensa said the data wasn't encrypted or password protected, contrary to the agency's policy, and it can't locate the sticks, which were not stored in their proper location.

The USB keys contained the names, birth dates, addresses and gender of voters, he said. They also have information about whether an individual voted in last fall's election — but not how they voted — and any other personal information updates provided by electors during that time.

The data doesn't include provincial health card or driver's license information, phone numbers, email addresses, credit card or banking information, he said.

Essena, who apologized for the privacy breach, said he found out about the missing keys on April 27. Cavoukian said she was notified July 5, but did not know why there was an almost three-month delaying in informing the commission.

Ontario Provincial Police are investigating the breach, along with Cavoukian.

Cavoukian said people in the voting districts should monitor their credit card bills and other transactions for at least a year for any signs of identity theft.

The incident is "deeply, deeply disturbing," given her repeated warnings about securing personal information, she said.

"It's so unfortunate when you have a policy that says the data must be encrypted if it's being transferred to a USB key, but the key is ensuring the policy is reflected in the actions of a department and its employees," Cavoukian told The Associated Press.

Essensa said Elections Ontario has hired a law firm and a forensic security firm to guide a full investigation. The agency plans to table a comprehensive report by the end of the year.

It's also reviewing its policies and procedures related to privacy, as well as its infrastructure and oversight.

The two individuals who were responsible for the sticks are no longer with the agency, Essensa said.

Explore further: Don't stop anonymizing data


Related Stories

Don't stop anonymizing data

June 16, 2011

Canadian privacy experts have issued a new report today that strongly backs the practice of de-identification as a key element in the protection of personal information. The joint paper from Ontario's Information and Privacy ...

Sony to reveal PlayStation hack probe findings

April 30, 2011

Sony will reveal details of its internal probe into a massive theft of personal data from users of its PlayStation Network on Sunday, plus a timetable for bringing the network back into action, it said.

Citigroup says 360,000 affected by hackers

June 16, 2011

Hackers stole account information of more than 360,000 of Citigroup Inc.'s U.S. credit card customers in a recent data breach, the bank said Wednesday, almost double the number initially thought.

Stanford Hospital privacy breach puts data online

September 9, 2011

(AP) -- Stanford Hospital in California is blaming a subcontractor used by an outside vendor for a privacy breach that led to the posting online of medical information for thousands of emergency room patients.

The high price of data breaches

November 26, 2011

As consumers, we transmit valuable personal information to the companies with which we do business. In doing so, we trust that information will remain secure. Over the past year, however, we have learned of a number of instances ...

Recommended for you

Enhancing solar power with diatoms

October 20, 2017

Diatoms, a kind of algae that reproduces prodigiously, have been called "the jewels of the sea" for their ability to manipulate light. Now, researchers hope to harness that property to boost solar technology.


Adjust slider to filter visible comments by rank

Display comments: newest first

4 / 5 (1) Jul 19, 2012
Full name, address and date of birth have always been in the public record.

Even a simple telephone book provides name and address.

"when someone has your accurate information in terms of a full name, address and date of birth, the things that people can do is very powerful" - Article
not rated yet Jul 19, 2012
Although I do not live in the area stuff like this just INFURIATES me! I just don't understand how this continues to happen over and over again in this day and age, whether it be missing hard drives from a national weapons lab, or users' personal info stored in plain text files being hacked, or this. Encryption is so friggin' EASY, it's free, and so simple an 8 year old can encrypt a file, partition, or whole drive, and yet nobody seems to give a hoot until it happens to them. And when they do at least attempt to protect private info, they use a password like 'password' or 1234. Aaargh! Perhaps I'm oversensitive but I've been involved in security for 30 years now and it seems nothing ever changes. I can see an individual messing up once in a while, but this is occurring regularly in government agencies, military organizations, or huge corporate entities. I can manage to encrypt everything on my computer and every flash drive I own, but they can't? Did I say aargh? Yes--I'm pissed off.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.