Canadian Voter Information Missing
USB Keys Potentially Expose Information on MillionsTwo unencrypted USB keys carrying copies of information about voters in Ontario, Canada, are missing, potentially exposing information on between 1.4 million and 2.4 million individuals, according to Elections Ontario officials.
See Also: Why Active Directory (AD) Protection Matters
In a statement issued July 17, Chief Electoral Officer Greg Essensa says that the two USB keys contained information on voters in 20 to 25 electoral districts. There are 107 electoral districts in Ontario.
A spokesperson for Elections Ontario says some laptops used by staff were not connected to the organization's network, so the USB drives were used to transfer information among those laptops.
The potentially compromised information includes full name, gender, date of birth, address, as well as administrative codes used solely for election purposes and any other personal information updates provided to Elections Ontario by voters during the last election period, the statement says. Also on the USB keys was information on whether an individual voted in the October 2011 provincial election.
"The information at issue does not include how an individual voted," Essensa adds.
The USB keys didn't include Social Insurance numbers, Ontario Health card information, driver's license information, telephone numbers, e-mail addresses, credit card or banking information.
Essensa says that there's no indication that the information has been inappropriately accessed.
"Elections Ontario personnel did not follow policy regarding two USB keys containing copies of the voter information," Essensa says. The policy includes ensuring keys with personal information are password-protected and encrypted, and that they remain in the custody of Elections Ontario personnel.
At the time of the breach, employees were working on 49 electoral district files to update the Permanent Register of Electors for Ontario. The 20 to 25 districts affected by the breach were included in those 49 districts, a forensics examination determined.
Breach Response
Elections Ontario has notified the affected voters. A call center has also been set up to answer questions.
An internal investigation is under way to determine the circumstances leading to the missing USB keys. "We engaged external counsel, Gowling Lafleur Henderson LLP, to undertake and guide a full investigation, supported by INKSTER Incorporated, a forensic security specialist firm," Essensa explains.
The incident has also been reported to the Ontario Provincial Police. The Information and Privacy Commissioner is aiding Elections Ontario in a review of the organization's privacy policies and procedures.
Starting July 18, a letter will run in newspapers in the affected electoral districts, "to notify [voters] further of this matter and to recommend what care they should exercise," Essensa says. Individuals should monitor for unusual activity regarding transactions with government, banks, utilities and others, he advises.
By the end of the year, Essensa will give a comprehensive report to the Legislative Assembly, which will highlight the outcomes of the investigation.
Further, external experts are assisting in reviews of all policies, processes, procedures and protocols related to privacy, management, protection of voter information, training, management oversight, accountability and audits. Elections Ontario's strategic framework, infrastructure and management policies also will be reviewed.