University of Ottawa gets failing grade in data breach

university of ottawa sign logo
Skimel (Creative Commons BY or BY-SA)

The University of Ottawa has found itself the subject of an investigation regarding a potential data breach. According to news reports, the information of some 900 students may have been exposed when an external hard drive went missing.

This involved the personal information of people with disabilities and mental health issues. Um, so that’s really bad. I’m having a hard time with this, as I do with so many data breaches. At first blush it appears that the information was not encrypted.

Now, it doesn’t spell that out in the report on CBC. But, if this information was contained on an encrypted drive I wouldn’t think that there would be breach notification letters being sent out and having the Ottawa police involved.

From the CBC:

"The University takes its role in safeguarding personal information and using it in an appropriate manner very seriously. Measures have been put in place at SASS to reduce the risk of the situation recurring. The University is deeply sorry about this situation," the university said.

Now, if I were to believe that they took the role of protecting information seriously, I would have to set aside the possibility that the hard drive was not encrypted. Suspension of disbelief. But, I just can’t. Now, this begs the question, what was the data on the drive exactly? Why was this information being backed up to a device that could grow legs and walk out the door?

From Ottawa Sun:

“We’re still investigating,” director of institutional communications Patrick Charette said. “In the meantime, we fixed the back-up procedure to make sure that we reduce the risk of such a thing happening again. In terms of what happened and how it happened, we’re still assessing.”

So, no one really has any idea as to what happened in this case. Not one to throw stones but, rather this is a great opportunity to, YET AGAIN, discuss sensitive data and encryption. If you are working in a job where you have access to sensitive data ask yourself this simple question, “If this gets out how fast will I be fired?”

The next question I would have is was this drive in an open area or locked in an office? Occam’s Razor tells me that this was a crime of opportunity or, more realistically, it was an oversight and is sitting in a filing cabinet somewhere. If this was a crime, was the drive someplace where there were cameras?

I hope for the sake of the affected students who have their information on this external hard drive that they aren’t going to be exposed.

This type of data breach leads me to have a lot of questions. I can’t help but apply my face to palm yet again. This isn’t an acceptable method to back up sensitive data. If we're being honest encryption isn’t that hard but, we continue to see data breaches like this time and again. This has to be a learning opportunity for others. Hopefully one day this sort of thing will be beat out of the system.

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.