(AP) A privacy breach involving as many as 2.4 million voters after memory sticks containing their personal information vanished from an elections warehouse is "deeply disturbing" and could lead to identity theft on a massive scale, Ontario's privacy commissioner said Wednesday.
Ann Cavoukian said the breach is the largest and most serious she has seen during her 25-year tenure.
"The potential for the misappropriation of the data is huge," she said. "You just don't know what might happen to it. Identity theft is what comes to mind because when someone has your accurate information in terms of a full name, address and date of birth, the things that people can do is very powerful, taking out things in your name, sending you phishing things, it's very powerful."
The head of Elections Ontario said two memory sticks went missing in April containing copies of personal information collected from up to 2.4 million voters in up to 25 districts in Ontario.
Greg Essensa said the data wasn't encrypted or password protected, contrary to the agency's policy, and it can't locate the sticks, which were not stored in their proper location.
The USB keys contained the names, birth dates, addresses and gender of voters, he said. They also have information about whether an individual voted in last fall's election but not how they voted and any other personal information updates provided by electors during that time.
The data doesn't include provincial health card or driver's license information, phone numbers, email addresses, credit card or banking information, he said.
Essena, who apologized for the privacy breach, said he found out about the missing keys on April 27. Cavoukian said she was notified July 5, but did not know why there was an almost three-month delaying in informing the commission.
Ontario Provincial Police are investigating the breach, along with Cavoukian.
Cavoukian said people in the voting districts should monitor their credit card bills and other transactions for at least a year for any signs of identity theft.
The incident is "deeply, deeply disturbing," given her repeated warnings about securing personal information, she said.
"It's so unfortunate when you have a policy that says the data must be encrypted if it's being transferred to a USB key, but the key is ensuring the policy is reflected in the actions of a department and its employees," Cavoukian told The Associated Press.
Essensa said Elections Ontario has hired a law firm and a forensic security firm to guide a full investigation. The agency plans to table a comprehensive report by the end of the year.
It's also reviewing its policies and procedures related to privacy, as well as its infrastructure and oversight.
The two individuals who were responsible for the sticks are no longer with the agency, Essensa said.
Explore further: Don't stop anonymizing data