Thursday, August 2, 2012

Government Doesn't Know Difference Between Compression and Encryption; Endangers 2.4 Million People's Identities

7 statements

This is terrible. Of course, don't expect anyone to suffer any consequences over this:

TORONTO — Elections Ontario staff who lost two memory sticks with the personal information of millions of voters did not encrypt the files because they didn’t know what encryption meant, privacy commissioner Ann Cavoukian said Tuesday. “They went online, they Googled it, and the closest they could discern was that encryption means zipping the data, which means compressing the data, not encrypting it,” Cavoukian said at a press conference. The missing USB keys included voters’ full names, addresses, date of birth, gender and whether they voted in the last election — information that is a “gold mine” for identity thieves, warned Cavoukian. “Cases of identity theft often take well over a year before they transpire,” she said. “They lay low, wait until the story is yesterday’s news, and then hit hard, so you have to be vigilant.” The lost data is from about 2.4 million voters in 20-25 electoral districts, but because Elections Ontario can’t say which districts, four million voters in 49 ridings are being advised to keep an eye on their bank statements. Elections Ontario discovered the “massive breach” in late April, when two memory sticks went missing, but it didn’t tell the public until July 17, prompting investigations by the information and privacy commissioner and provincial police. Even worse, said Cavoukian, the agency went right back to using USB keys without enabling the encryption software just four days after realizing it had lost the two other data storage devices. “I hit the roof, as you might imagine,” she said. “On what planet do you do that, do you do the same thing again and not encrypt the data? It’s baffling to me.”
I'll tell you what planet you do that on: Planet government!