• United States




University of Ottawa gets failing grade in data breach

Sep 22, 20163 mins
Data BreachSecurity

The University of Ottawa has found itself the subject of an investigation regarding a potential data breach. According to news reports, the information of some 900 students may have been exposed when an external hard drive went missing.

This involved the personal information of people with disabilities and mental health issues. Um, so that’s really bad. I’m having a hard time with this, as I do with so many data breaches. At first blush it appears that the information was not encrypted.

Now, it doesn’t spell that out in the report on CBC. But, if this information was contained on an encrypted drive I wouldn’t think that there would be breach notification letters being sent out and having the Ottawa police involved.

From the CBC:

“The University takes its role in safeguarding personal information and using it in an appropriate manner very seriously. Measures have been put in place at SASS to reduce the risk of the situation recurring. The University is deeply sorry about this situation,” the university said.

Now, if I were to believe that they took the role of protecting information seriously, I would have to set aside the possibility that the hard drive was not encrypted. Suspension of disbelief. But, I just can’t. Now, this begs the question, what was the data on the drive exactly? Why was this information being backed up to a device that could grow legs and walk out the door?

From Ottawa Sun:

“We’re still investigating,” director of institutional communications Patrick Charette said. “In the meantime, we fixed the back-up procedure to make sure that we reduce the risk of such a thing happening again. In terms of what happened and how it happened, we’re still assessing.”

So, no one really has any idea as to what happened in this case. Not one to throw stones but, rather this is a great opportunity to, YET AGAIN, discuss sensitive data and encryption. If you are working in a job where you have access to sensitive data ask yourself this simple question, “If this gets out how fast will I be fired?”

The next question I would have is was this drive in an open area or locked in an office? Occam’s Razor tells me that this was a crime of opportunity or, more realistically, it was an oversight and is sitting in a filing cabinet somewhere. If this was a crime, was the drive someplace where there were cameras?

I hope for the sake of the affected students who have their information on this external hard drive that they aren’t going to be exposed.

This type of data breach leads me to have a lot of questions. I can’t help but apply my face to palm yet again. This isn’t an acceptable method to back up sensitive data. If we’re being honest encryption isn’t that hard but, we continue to see data breaches like this time and again. This has to be a learning opportunity for others. Hopefully one day this sort of thing will be beat out of the system.


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author