A week after the information and privacy commissioner confirmed all the fall-downs that led to the massive privacy breach of student records, the government disclosed some of the details about the breach, and the frantic aftermath.
A response to a freedom-of-information request included 150 pages of internal email correspondence that give a flavour of how personal information on 3.4 million people was improperly moved to two portable hard drives, how one of the drives went missing and how urgent the search last fall was to locate it. The response was posted Monday.
One of the documents was a history of the hard drive, written after the realization that it was missing and that it constituted a major security breach. It said that a research officer copied a huge volume of data from 1998 to 2008 from the Education Ministry’s network drive onto the two external hard drives.
One of the drives was retained in the ministry offices and the other was sent off-site. “It is the one we are having trouble locating now,” said the report.
Part of the history is redacted, on the grounds disclosure might be harmful to law enforcement. But it said the records indicate the drive was in a locked filing cabinet in a locked cage inside a secure warehouse. The idea was to retain the information in the event of a catastrophe that might prevent accessing the files on the network.
The history includes some supposition from various employees about which warehouse might have housed it. There are notes about reorganizations and renamings, all of which contributed to the discovery in August 2015 that it could not be located.
“Because of numerous personnel and organizational changes, most of the unit’s current staff did not know of the existence of a second drive,” said the report.
The hard drives were purchased ($204 each) because the ministry’s network drive was filling up and “having a few external hard drives instead of paying the high storage rates may be a good option.”
The information includes millions of names and grades of students, whether they finished school, were on welfare, had cancer or were in the care of government, among many other things.
A number of records on teachers were also on the drive.
Information and privacy commissioner Elizabeth Denham concluded no one could verify whether the hard drive ever arrived at the warehouse. While there were sound privacy and security policies in place, several employees contravened a series of them. Moving the data to a hard drive breached a directive that was issued from another earlier breach.
“The ministry compounded this contravention by failing to encrypt the information,” said the report. “This contravention made the information accessible to anyone in possession of the hard drive.”
The ministry also failed to record the existence of the drives in an inventory and store the backup in an approved records facility.
Included in this week’s release were emails from Yukon officials asking numerous questions about the breach and about B.C.’s storage protocols. The drive had Yukon student exam and course information from 1991 to 2008.
After it was established that the hard drive was missing, it took a team of 28 people to review each of the 139,000 files from the original hard drive to determine what information was on the missing copy. Another team of about 40 people searched the warehouse at least four times, even opening shrink-wrapped pallets in the hunt for the drive. The deputy minister ordered everyone who hadn’t taken the “Privacy and Information Sharing Awareness Training” course to sign up for it.
With evidence that it was created and sent to a warehouse, but no sign of it for several years, one of the possibilities was that it wound up at the Asset Investment Recovery Branch, which disposes of government surplus. But there were no records of it turning up there, and it remains missing to this day.
Just So You Know: The cost of the entire investigation and all the overtime searches and staff time that went into the mystery isn’t disclosed. But it clearly cost a fortune. All of it was incurred to find a drive that was created in order to save a few thousand dollars in data-storage costs on the network.