Security News

An investigation into a security breach and breakin at the University of Victoria has taken a bizarre twist after most of the items that were stolen - minus a key computer-storage device - were found inside a garbage bag that had been left in a mailbox.

The discovery in Langford last week heightened concerns that someone may be planning to defraud UVic employees using unencrypted personal and banking information that was stored on the missing device.

"We think the situation now is more grave as far as the potential for frauds," Saanich police spokesman Sgt. Dean Jantzen said.

A Canada Post employee found the green bag in the box in the 1300 block of Bear Mountain Parkway on Jan. 18. A handwritten note on the bag said: "Stolen data from UVic. Please return."

Inside, police found a second note as well as a number of laptops, computer flash drives and media-storage devices believed to have been taken from a university administration building. The theft was discovered Jan. 8.

The unsigned, computer-generated note in the bag apologized for causing any inconvenience and claimed that none of the information on the hard drives had been misused.

"The information on these drives was not copied, distributed, or exploited," the note said. "We want no part of everyday people living in fear that their personal information is being used against them to take they're (sic) hard earned money."

Police said the devices that were returned had all been "thoroughly and professionally destroyed," making it impossible to recover any data or determine for certain whether they were the ones stolen from UVic.

Police showed the items to university officials who recognized most of them.

But the officials insisted that one media storage device did not belong to them.

The phoney device resembles a stolen drive that contained most of the unencrypted information on nearly 12,000 current and former employees.

"Why return this data absent the one key media drive that does have all the concerning data on it - 99 per cent of the concerning data?" Jantzen said.

"Someone or some people have taken the time to actually mock up a dummy media-storage device and include it in the materials returned, suggesting: 'Here you are, everything's been returned and all is well.'

"In our minds, all is not well . . . This goes beyond just a sick prank in our minds, leading us to believe this is something more sinister."

Jantzen said the concern is that the thief or thieves hope to throw the police off their trail, and dupe some employees into thinking that there is no longer a risk. He advised all employees who have not already done so to contact their banks and credit agencies and take steps to protect their finances and identities.

"We are really trying to head off any future frauds," he said.

Police took the rare step of releasing the note in its entirety in hopes that someone will recognize the words or phrases used.

"We think the note is unique," Jantzen said.

Source: http://www2.canada.com/victoriatimescolonist/news/capital_van_isl/story.html?id=a481f8e9-59a1-4d6f-8552-b115265b5099

Anyone with information is urged to contact police or Crime Stoppers. lkines@timescolonist.com

The confidential tax files of almost 2,700 Canadians are missing after a Canada Revenue Agency worker took them home and let a friend download them onto a laptop.

The laptop has disappeared, the agency is scrambling to rewrite its security protocols and the privacy commissioner is asking why no one alerted her to the breach in confidentiality.

“Our office was not informed about this incident,” said Anne-Marie Hayden, spokeswoman for Jennifer Stoddart, privacy commissioner of Canada. “We will be following up with CRA for further information on the issue.”

The investigation report, along with related documents, was obtained by The Canadian Press under the Access to Information Act.

The major breach occurred in early 2006, when an auditor in the agency’s Toronto office asked a government computer technician to download 37,488 of her emails and 776 documents onto 16 CDs. The confidential material covered the years 2000 to 2006, and was not encrypted as required by agency rules.

The woman took the CDs home, and allowed a male friend to copy at least one of them to a laptop.

The breach only came to light when the woman produced the CDs during a grievance hearing before the Public Service Labour Relations Board in 2008. She wanted the panel to read a key 2005 email on one of the CDs, in support of her grievance that the CRA had not accommodated her health problems.

“She was upfront at the hearing that the CDs contained taxpayer information and advised (CRA senior official) Tracey O’Brien to safeguard the information,” says an internal report into the privacy breach. “This caused a disruption in the hearing.”

The woman employee, who suffers from fibromyalgia which causes chronic body pain, eventually won her grievance and was awarded $6,000 for pain and suffering. Two of her supervisors were required to take training in how to accommodate workers with disabilities.

But the privacy breach uncovered at the hearing triggered a wide-ranging internal probe into why the confidential material was poorly safeguarded — and whether it could be retrieved. The woman was sent a letter in early 2009, asking her to produce the friend’s laptop.

“He (the friend) told her that he would not provide the laptop and was unco-operative,” says the investigation report.

The agency eventually recovered the 16 CDs from the employee, but still has not recovered the laptop.

“The laptop was the property of a private company and was no longer available at the time of the administrative investigation,” CRA spokesman Philippe Brideau said when asked about the incident.

“However, the facts gathered during the investigation determined reasonable grounds to believe that the information copied to the laptop had been erased in such a way that an average user could not access through a normal operating system.”

Brideau confirmed the agency’s policy requires that personal information copied onto CDs or any other removable storage device must be encrypted, but there was a “gap in awareness training and procedures.”

He said CRA is currently drafting a guideline to prevent further breaches in confidentiality.

The internal probe found at least 2,660 instances of confidential taxpayer information on the single CD that the employee said she had given to her friend to download. All 16 CDs contained much more confidential information, but the investigation did not indicate how many more taxpayers were involved.

The heavily censored report notes, however, that “a limited number of taxpayer accounts was reviewed. At that point, there did not appear to be any income tax implications such as requested adjustments or unusual refunds.”

Treasury Board policy “strongly” recommends that institutions inform the privacy commissioner soon after learning of any breach if it “involves sensitive personal data such as financial ... information.” The CRA probe determined that the CDs contained exactly such financial information.

But Brideau said the incident was judged to be “low risk,” and the decision taken not to inform the privacy commissioner.

He added that he could not comment on any sanctions taken against the offending employee because of privacy rules.

“All CRA employees are subject to a strict Code of Ethics and Conduct,” he said. “The CRA takes all allegations concerning the conduct of its employees very seriously and takes immediate action to have all allegations investigated.”

“Any employee who violates this code may face disciplinary action up to and including termination of employment.”

The laptop incident is among dozens in which tax agency workers have breached security rules, many of them snooping on other Canadians, including ex-spouses, mothers-in-law, creditors and others by reading confidential tax files.

Source: http://www.thestar.com/news/canada/politics/article/1082212--2-700-personal-tax-files-downloaded-on-missing-laptop

As fallout from Mississauga's judicial inquiry continued Wednesday, Councillor Bonnie Crombie surprised observers by accusing a long-time city watchdog of "cyber-stalking" her teenage children.

The allegation came after Ursula Keuper-Bennett, who maintains a critical blog called MississaugaWatch, raised questions about council's response to the recently concluded inquiry, which found Mayor Hazel McCallion acted improperly by advocating for her developer son.

"What qualities do you possess to make you an authority on ethical behaviour?" Ms. Crombie demanded.

After Ms. Keuper-Bennett, appearing to be caught off guard, conceded she was not an ethics expert, the Ward 5 councillor unleashed a tirade.

"Is it ethical to create a video on a 14-year-old child?" Ms. Crombie demanded. "Is it ethical to cyber-stalk a minor [and] to go after politicians' children in videos?"

She was referring to an online video compilation featuring Facebook photographs of her three children that was uploaded by "MississaugaWatch" this past August. The video primarily focuses on Alex Crombie, now 22, contrasting picture of his vacations and parties with a Facebook site he created to support his political ambitions.

But the video also highlights photographs of 14-yearold Natasha Crombie and 18year-old Jonathan Crombie. The children were younger in some of the featured photographs, Ms. Crombie said.

Ms. Keuper-Bennett says she looked the children up after discovering the Crombie sons' names on a 2009 petition urging the city to cancel the inquiry.

"You have breached every code of conduct that I can imagine by going after my family on a personal level," Ms. Crombie fumed.

Ms. Keuper-Bennett disputed the cyber-stalking allegation, suggesting Ms. Crombie was merely trying to avoid the inquiry discussion.

"She's been trying to sweep the inquiry under the rug," Ms. Keuper-Bennett said, noting her video aimed to underscore Ms. Crombie's "hypocrisy" as a public figure who sent her children to private school.

Ms. Keuper-Bennett also pointed to Ms. Crombie's public Web presence, which includes photos of her children posing with Liberal MP Justin Trudeau.

The unexpected exchange took the focus squarely off Ms. Keuper-Bennett's council presentation, which called into question the city's response to the $7-million inquiry. She replayed clips from last week's fiery general committee meeting, during which pro-inquiry Councillor Nando Iannicca lashed out at his pro-McCallion colleagues: "If you did not vote for the inquiry, if you do not agree with its findings and if you are not appalled at what happened, you are not fit for public service."

Source:http://www.canada.com/nationalpost/news/toronto/story.html?id=65dcd18b-590a-4a2e-b537-c844ede81fd3

Text messaging may help quiet the hum of public cellphone conversations – but it may be just as vulnerable to eavesdropping.

Canada’s privacy commissioner says Canadians aren’t doing enough to protect their mobile communication devices, such as cellphones and tablet computers.

A survey by the commissioner’s office suggests only four in 10 people password-protect their phones or adjust privacy settings on personal-information sharing via downloaded applications.

People who actually store personal information on their devices were more likely to use privacy measures.

“We encourage people to use passwords, encryption, privacy settings and every other available measure to safeguard their personal information, because the meaningful protection of privacy has to start with the individual,” Commissioner Jennifer Stoddart said.

Canadians are increasingly worried about their privacy in a digital environment.

The survey found that levels of concern about a range of technologies and applications, including cellphones, online banking, and credit- and debit-card transactions, all rose since 2009.

Canadians between the ages of 18 and 34 were found to be the most enthusiastic users of technology but also the most likely to use available tools to protect their privacy online.

Ms. Stoddart called that finding gratifying.

“Young people are sometimes stereotyped as digital exhibitionists who are quite uninhibited in posting comments and personal images,” she said.

“And yet, this new data shows that they not only care about privacy, they are actually leaders in protecting it.”

Two thousand people were surveyed for the commissioner’s poll, which has a margin of error of plus or minus 2.2 percentage points, 19 times out of 20.

It was conducted between Feb. 23 and March 6, just as outrage in Britain over a tabloid newspaper hacking into people’s cellphones began to grow. In that case, reporters broke into people’s voice mail messages and investigations continue into whether reporters also had phone-tracking records.

The scandal ultimately brought down one of the country’s oldest newspapers.

And in the aftermath of riots in London earlier this month, authorities there are actively monitoring social-media sites and musing about expanding that to mobile devices to prevent similar events.

The Canadian survey asked whether people felt police should have access to their online usage information without a warrant. A whopping 82 per cent said No.

Eight in 10 Canadians also said Internet companies should ask permission to track how users spend their time online.

One of the biggest thorns in the privacy commissioner’s side over the years has been the privacy policies of online social networks.

In 2008, she launched one of the first investigations into how Facebook handled the issue.

The social-media giant has since repeatedly toughened up its policies, including a revamp this week that allows people to accept or reject being identified in someone else’s photo.

The survey found that more than half of Canadians have concerns related to social-networking sites, but most take advantage of available privacy controls.

Source: http://www.theglobeandmail.com/news/technology/tech-news/how-private-is-that-text-message/article2141766/

MONTREAL – The French language newspaper Le Devoir made a complaint to police Tuesday after its website was hacked with a short article announcing Premier Jean Charest’s death.

An investigation is being conducted by the information technology crime unit of the Montreal police. The story, posted at 1:09 a.m., stated the premier had died of a heart attack at the CHUM hospital and that the health facility had confirmed the news, which turned out to be false. The story was quickly picked up by radio stations and by Twitter users before it was declared a hoax.

“I still can’t get over it,” said Le Devoir editor-in-chief Joséee Boileau. “This is serious; it was an attack on both the premier and our credibility as a newspaper.”

“We are excluding the idea that the sabotage was caused by someone from the inside. We think it’s someone from outside Le Devoir”.

The newspaper’s website security was reinforced during the day and the site was experiencing difficulties with loading pages in the meantime.

Nathalie Forgues, spokesperson for the CHUM, said she received several phone calls from media about Premier Charest in the early morning on Tuesday. “We realized pretty quickly that it was a hoax when we checked with staff at the hospital,” said Forgues.

Premier Charest joked about his fake death when adressing media in Quebec city. He said he was home exercising when he heard the news in the morning.

“I immediately rushed to a mirror to see if I was still there,” he said laughing. He added that he was impressed by Le Devoir’s quick reaction with the situation and added that no media is really immune from cyber piracy.

LeDevoir.com was shut down between 2:30 a.m. and 4:00 a.m. while technicians tried to restore the site. Even the Wikipedia page about Jean Charest had been modified by an anonymous source to confirm the premier’s death. Le Devoir denied the news at 4:56 a.m. in an apology published on their website.

“According to information we received this morning, our site was hacked,” read the text. “We are currently trying to find out what exactly happened. We offer our apologies, of course to the premier and to our readers. Le Devoir cannot comment further until the source of the problem has been identified”.

The hoax article, now removed from the site, was falsely attributed to Jeanne Corriveau, a journalist at Le Devoir.

“I only heard about it hours later,” said Corriveau. “I haven’t really worried about my reputation, or even thought about it that much. We’ll see what happens with the police investigation.”

Cyber attacks are a growing concern for organizations that are part of the online world. While many activists are turning into “hacktivists” and using computers as a means of protest to promote political ends, other computer hackers are cracking into systems simply for the kick of it.

“There’s a trend in the cyber world where entertainment is at the expense of someone else,” says Shaheen Shariff, associate professor at McGill University and an expert on cyber bullying. “What happened to Premier Jean Charest demonstrates that well. There’s just so much online these days that it seems some people feel they have to be more radical and more bizarre than others to get their voices heard over the rest.”

Gabriella Coleman, an assistant professor at New York University in media, culture and communication, has been studying political and free software hackers and noticing recent trends in cyber atacks. “There’s been an increase in hacking interventions in the last eight months,” she said, adding that cyber security hasn’t adapted enough to this increase in attacks.

“And political attacks work best for hackers because that’s how you get media attention,” said Coleman.

On July 4, Fox News also fell victim to hacking, with its politics Twitter feed repeatedly announcing President Barack Obama had been shot dead. @Foxnewspolitics began tweeting false

information to its 33,000 followers about 2 a.m. until the station took back control of its account.

A few days later, a hacker gained access to Canada’s Conservative party’s website and posted a news release falsely reporting Prime Minister Stephen Harper had been rushed to hospital after choking on a hash brown at breakfast.

Computer security company McAfee has issued a report detailing a five-year hacking scheme that targeted countries, companies and numerous organizations.

McAfee says there were more than 70 intrusions from the same source over the past five years, including four in Canada.

The earliest, in July 2008, targeted an unidentified Canadian information technology company for four months, then the Montreal-based World Anti-Doping Agency was infiltrated for 14 months in August 2009.

David Skillicorn, a Queen’s University School of Computing professor and computer security expert, says people need to realize that the internet isn’t as secure as they may think.

“Everyone thinks they are in a nice neighborhood, but when you are on the internet, it’s like you are walking down the darkest streets of the world," said Skillicorn. "If you are on the internet, you are everywhere. There are billions and billions of people with access to the internet and some of them are really bad people who will hack into your system and steal important data."

McAfee says two unidentified Canadian government agencies were targeted — the first in October 2009 for six months and the second in January 2010 for one month.

"The question of cyberattacks is not new and it's an ongoing concern," said Liberal MP Geoff Regan, critic for industry and consumer affairs.

"The question is what steps are being taken by government to make sure this doesn't happen. If we find that this latest incident has resulted in more of that information being compromised, then I think the government has some answers to give," said Regan, who stressed that he had not yet read the McAfee report.

The report goes on to say the governments of the U.S., Taiwan, India, South Korea and Vietnam were also on the target list, along with the IOC, the United Nations and an array of companies.

The report author, Dmitri Alperovitch, says most victims have long since addressed the infections and the report is meant to reinforce the fact that anyone can fall prey to intrusions.

McAfee has dubbed the scheme Operation Shady RAT, with RAT being a common acronym in the computer industry meaning Remote Access Tool.


http://www.cbc.ca/news/technology/story/2011/08/03/pol-government-hackers.html

Jennifer Stoddart, Canada’s privacy commissioner, wants businesses to improve the way they store customers’ personal information – or face being named and shamed in her annual report.

In the 2010 report released this week, she scolds Staples Business Depot for its weak privacy protection practices, such as storing print and copy orders for a one-year period.

She had recommended keeping orders only long enough to let clients address any quality issues – and dismissed the argument that information was stored securely by a third party, requiring consent for disclosure.

“Although Staples says it will inform customers that online submissions will be stored for one year, it is our Office’s view that this information is being retained longer than necessary,” her report said.

The Staples audit, which uncovered 10 issues that required follow-up action, was triggered by customer complaints that personal information remained on computers returned to the store.

The data had not been erased adequately before the computers were resold. And while the retailer later adopted a wipe and restore process, it was not effective for all devices.

Stoddart’s position: If Staples is unable to remove all customer data from a particular manufacturer’s device, it is unacceptable to resell that device.

Online privacy is a big concern for the commissioner, who was reappointed late last year. The growing threats – and our ignorance of them – are described in vivid language that is a delight to read.

“Many people don’t know they’re leaving a trail of digital breadcrumbs when they click their way through websites and from website to website,” she says in the report.

“They don’t know that these crumbs are stored, analyzed and accessible. And they don’t understand that this information may be used in ways they never imagined.

“How many people actually read privacy policies? How knowledgeable are people about securing their home computers or networks?”

She talks about some people living their lives like reality TV stars, enthusiastically sharing even their most intimate thoughts and images online.

Others, who aren’t digital exhibitionists, may still give up plenty of information about themselves.

“By using loyalty cards, for instance, they’re actively trading personal data for retail discounts or other goodies. And that’s just what people do consciously.

“Beneath that lies a whole other layer that most people know little about, including the massive data collection that occurs when people browse Internet websites or make online purchases.”

Here’s a troubling statistic: While private-sector organizations are urged to report data breaches, only 44 incidents were reported last year. That’s down from 58 in 2009 and 65 in 2008.

Companies don’t have to report major data breaches to the privacy watchdog or to individuals affected by them. A bill to bring in mandatory reporting died on the order paper before the last election.

Consumers should have the right to know if personal information entrusted to an organization is disclosed without authorization – with possible harm to their finances, reputation, job opportunities or creditworthiness.

In a complaint resolved by her office, a man checked his credit report and noticed an inquiry from a credit card issuer he’d never dealt with before.

Someone had fraudulently applied for a card in his name. But the application was rejected because some personal information was incorrect.

The credit card company couldn’t remove the inquiry, but was able to have it considered a “soft” inquiry, which was only visible to the complainant and had no impact on his credit score.

In contrast, a “hard” inquiry would be included on that person’s credit report and viewed by other credit granting organizations for years to come.

I applaud Stoddart’s efforts to improve the privacy literacy of Canadians and warn companies about careless data handling.

In Saturday’s column, I’ll talk about a privacy breach by Canada’s biggest home services firm, Direct Energy, which was discovered by a reader and brought to my attention.

Ellen Roseman writes about personal finance and consumer issues. You can reach her at eroseman@thestar.ca.

Source: http://www.moneyville.ca/article/1012911--roseman-why-is-staples-keeping-our-private-purchase-data?bn=1

Michael Binetti, a lawyer who specializes in commercial litigation and competition law with Affleck Greene McMurtry LLP, received a call telling him about the missing information on Saturday.

The 31-year-old was concerned when he heard the news that his personal information might no longer be confidential and could potentially be used by someone to get fraudulent credit cards or establish a fake identity.

“It’s disheartening to know that a company that big can’t keep track of a CD-ROM with confidential information on it,” he told the Star. “I don’t want to be in some situation where some rogue is applying for credit in my name . . . And then I have to prove he’s the imposter.”

“With big organizations there is a certain risk anyway. But it’s disappointing to hear that some courier somewhere has these CD-ROMs and they (the bank) can’t find them.”

Binetti said he was told by a Scotiabank representative the CD-ROMs were mislaid Wednesday and that the bank thought they had been lost internally.

However, the representative said the bank was warning clients just in case so they could monitor their accounts and make sure there was no fraudulent activity. Said Binetti: “What choice did they have? I’m not going to give them credit for being proactive.”

Binetti said he was also told to have a personal credit check done to see if there were any new credit cards listed that he hadn’t applied for.

Other bank clients also contacted the Star to express concern.

In an email to the Star, Scotiabank confirmed the CD-ROMs were missing, calling the incident an “extremely rare occurrence.”

“The parcel containing the three CDs has gone missing while in internal mail between two Scotiabank departments,” Joe Konecny, a media spokesman for the bank, said in the email.

“Based on our investigation, we believe that the CDs were misdirected in internal mail and we have no reason to believe that this incident puts our customers at risk.

“We are notifying customers as a precaution. The Canadian privacy commissioner has also been advised.”

Scotiabank also confirmed the discs contained the names, mailing address, social insurance numbers, registered account type and account numbers for clients. They, however, did not contain account balances or other financial or employment information, according to Scotiabank.

But how many people have been affected remains unclear. Scotiabank would only say a “small percentage” of clients had their confidential information on the CD-ROMs.

The discs were to be sent to the Canada Revenue Agency as part of the bank’s requirements to provide such information to the agency. The bank has strict processes and procedures in place to protect customer privacy and confidentiality, the statement added.

But that doesn’t ease Binetti’s mind. “The lesson for consumers is don’t assume because you’re dealing with a big organization that they have control over your information the whole time,” he said.

Source: http://www.healthzone.ca/health/article/1003204--scotiabank-clients-fear-identity-theft-after-personal-data-lost

Michael Binetti, a lawyer who specializes in commercial litigation and competition law with Affleck Greene McMurtry LLP, received a call telling him about the missing information on Saturday.

The 31-year-old was concerned when he heard the news that his personal information might no longer be confidential and could potentially be used by someone to get fraudulent credit cards or establish a fake identity.

“It’s disheartening to know that a company that big can’t keep track of a CD-ROM with confidential information on it,” he told the Star. “I don’t want to be in some situation where some rogue is applying for credit in my name . . . And then I have to prove he’s the imposter.”

“With big organizations there is a certain risk anyway. But it’s disappointing to hear that some courier somewhere has these CD-ROMs and they (the bank) can’t find them.”

Binetti said he was told by a Scotiabank representative the CD-ROMs were mislaid Wednesday and that the bank thought they had been lost internally.

However, the representative said the bank was warning clients just in case so they could monitor their accounts and make sure there was no fraudulent activity. Said Binetti: “What choice did they have? I’m not going to give them credit for being proactive.”

Binetti said he was also told to have a personal credit check done to see if there were any new credit cards listed that he hadn’t applied for.

Other bank clients also contacted the Star to express concern.

In an email to the Star, Scotiabank confirmed the CD-ROMs were missing, calling the incident an “extremely rare occurrence.”

“The parcel containing the three CDs has gone missing while in internal mail between two Scotiabank departments,” Joe Konecny, a media spokesman for the bank, said in the email.

“Based on our investigation, we believe that the CDs were misdirected in internal mail and we have no reason to believe that this incident puts our customers at risk.

“We are notifying customers as a precaution. The Canadian privacy commissioner has also been advised.”

Scotiabank also confirmed the discs contained the names, mailing address, social insurance numbers, registered account type and account numbers for clients. They, however, did not contain account balances or other financial or employment information, according to Scotiabank.

But how many people have been affected remains unclear. Scotiabank would only say a “small percentage” of clients had their confidential information on the CD-ROMs.

The discs were to be sent to the Canada Revenue Agency as part of the bank’s requirements to provide such information to the agency. The bank has strict processes and procedures in place to protect customer privacy and confidentiality, the statement added.

But that doesn’t ease Binetti’s mind. “The lesson for consumers is don’t assume because you’re dealing with a big organization that they have control over your information the whole time,” he said.