Free Republic
Browse · Search
Topics · Post Article

Skip to comments.

Regina police recover missing hard drive (Financial, health records of 1 million+ compromised)
CBC News ^ | February 4, 2003

Posted on 02/04/2003 11:44:52 PM PST by Timesink

C B C . C A   N e w s   -   F u l l   S t o r y :

Regina police recover missing hard drive

Last Updated Tue Feb 4 18:53:26 2003

REGINA-- Regina police said Tuesday they have recovered a missing computer hard drive that contained sensitive personal information on more than one million people.

Police have scheduled a news conference for Wednesday, but did say there is no indication that the information contained on the drive was targeted, nor that it was used.

Charges are reported to be pending against one person.

The hard drive was reported missing by ISM Canada, a major information management and outsourcing company, on Jan. 16. Police treated the case as a theft and began investigating.

The disk contained up to 750,000 files on clients of Investors Group, Canada's biggest mutual fund company.

Investors Group said the data contained on the disk included clients' names and addresses, account numbers, portfolio holdings and beneficiaries. The company said the information could not be used to access clients' holdings.

The missing disk was also reported to contain files on 180,000 clients of the Co-operators Insurance Company, 10,000 customers of SaskPower, 60,000 Saskatchewan government employees and 56,000 Saskatchewan farmers.

A class-action lawsuit has already been launched in Saskatchewan against the companies and agencies that stored information the missing hard drive.

A Regina law firm, the Merchant Law Group, filed the suit on behalf of people whose personal information is contained on the hard drive.

The suit named the Government of Saskatchewan, ISM-Canada, the Co-operators Insurance Company and Investors Group as defendants in the case.

Written by CBC News Online staff

TOPICS: Business/Economy; Canada; Crime/Corruption; Culture/Society; Extended News
KEYWORDS: canada; privacy; security
Earlier story:

C B C . C A   N e w s   -   F u l l   S t o r y :

Investors Group says customer information on missing hard drive

Last Updated Mon Feb 3 18:30:07 2003

REGINA-- Information on hundreds of thousands of clients of Investors Group was on a computer hard drive that is presumed stolen last month from ISM Canada in Regina.

Up to 750,000 customer files may have been on the missing drive, the Globe and Mail reported Monday.

Investors Group, the biggest money management company in the country, said the data contained on the disk included clients' names and addresses, account numbers, portfolio holdings and beneficiaries.

Hoping to allay consumers' fears, the money manager said there is now way for anyone to use the missing data to access client accounts in any way. The missing information doesn't include personal information normally involved in the misuse of personal data, such as social insurance numbers, dates of birth, or banking information, Investors Group said.

"I understand the concern this may cause for our clients," Jeff Orr, Investors Group's president and chief executive officer, said in a release.

"The security of our clients' information is a top priority for Investors Group, and we take this incident very seriously," he said.

The report of the missing data is the latest involving lost information on hard drives missing from ISM Canada, a subsidiary of IBM Canada.

Data on about 180,000 customers of the Co-operators insurance company is also reported to be missing.

The disk drive may have also contained information on 410,000 customers of SaskPower. About 10,000 of those customers may have had bank account information, social insurance numbers, provincial health plan numbers and driver's licence numbers taken. The other 400,000 customers are thought to have only had their names, addresses and electrical consumption data taken.

The Saskatchewan government also said last week that files on 60,000 public servants and 56,000 farmers may have been on the missing disk.

A subsidiary of IBM Canada, ISM said it is cooperating with the Regina City Police, which is treating the incident as a theft.

"We deeply regret the disruption and concern that this incident has caused our client organizations and their customers and we are committed to working through this with them every step of the way," Dan McMurtry, the CEO of ISM Canada, said.

"We respect our customers' wishes that we keep their business with us confidential," McMurty said.

ISM indicated that a spokesperson for the Regina City Police has said there is no evidence to date that the material on the drive has been used illegally.

Written by CBC News Online staff

1 posted on 02/04/2003 11:44:52 PM PST by Timesink
[ Post Reply | Private Reply | View Replies]

Comment #2 Removed by Moderator

Newsworld's Nancy Wilson talks with Ontario's information and privacy commissioner, Ann Cavoukian.
(Runs 4:00)

Newsworld's Christopher Thomas talks with Jesse Hirsh, a computer security expert and president of Openflows Network.
(Runs 5:16)

Both in RealVideo format.

3 posted on 02/04/2003 11:48:17 PM PST by Timesink
[ Post Reply | Private Reply | To 1 | View Replies]

Data processing star faces tough privacy questions
ISM Canada deals with the fallout of missing disk with client details
Tuesday, February 4, 2003 – Print Edition, Page B7

The company at the centre of what experts say is Canada's biggest privacy disaster was once the country's shining information technology star, a firm that had built a thriving multimillion-dollar business providing data processing services for a blue-chip client list.

Its success in building a healthy services business was the big reason International Business Machines Corp. of Armonk, N.Y., acquired ISM Canada Inc. of Regina in 1995 for more than $140-million. At the time, IBM was beginning a long process of transforming itself from primarily a maker of computer hardware to a services and consulting firm.

But today, ISM, which employs about 315 people in Saskatchewan, faces its darkest hour and its parent, IBM Canada Ltd. of Markham, Ont., must deal with some embarrassing questions about its ability to protect sensitive customer information. On Jan. 16, during a routine upgrade of a computer in ISM's Regina facility, a computer hard drive went missing and police are investigating.

The disk contained detailed personal financial and health information for, it now appears, more than one million Canadians, including Saskatchewan government employees and customers of Investors Group Inc. of Winnipeg and Co-operators General Insurance Co. of Guelph, Ont.

"It's bad practice to put two financial institutions on the same disk," said Ira Winkler, chief security strategist for Hewlett-Packard Co. of Palo Alto, Calif., one of IBM's biggest competitors. "You should never co-mingle customer data on the same disk."

ISM has said it will not comment on the specifics of the security procedures it had in place for its customers.

Michael Power, an Ottawa-based lawyer for Gowling Lafleur Henderson LLP, said it was Canada's biggest privacy disaster.

"There's the potential for lawsuits here, including class-action lawsuits in a worst-case scenario and that's why I refer to it as the Exxon Valdez of privacy," Mr. Power said.

Indeed, late yesterday, a lawsuit was filed by a Regina law firm on behalf of those whose customer records the suit alleges were put at risk, naming ISM, Investors Group, Co-operators and others as defendants.

"This is an obligation they can't expect to avoid at a senior management level. They are assumed to have been aware of these issues and will face the consequences if they're not," said Mary Kirwan, a lawyer and senior director at Kasten Chase Applied Research Ltd. of Mississauga, a maker of computer security products and services. "This does expose management and directors to civil suits."

Mr. Power, who helped draft Canada's federal privacy legislation, agreed: "The obligation is on the Co-operators and other organizations that collect personal information to make sure that any third-party contractors that they use maintain adequate security procedures."

Almost all of Canada's largest financial services companies, including banks, credit unions, mutual fund companies and insurers use third-party firms such as IBM, HP, EDS Canada, CGI Group Inc. and others to perform a host of data processing tasks. All of those firms routinely handle sensitive personal and financial information on behalf of their financial services customers.

But industry sources say it's difficult to persuade chief executive officers, chief financial officers and other non-technical executives at those financial services companies to spend money on information security, because it's difficult to gauge the return on that investment.

In other words, there's no formula a CEO can point to in order to say to his or her shareholders that for every dollar invested in computer security, there will be a corresponding improvement to the company's overall profitability.

"Only with catastrophic events, you have the benefit of hindsight to say, 'We should have . . .," said Robert Everett, an Ottawa-based vice-president with EDS Canada, another of IBM's biggest competitors. "This stuff costs money. Encryption, for example, provides a significant burden on your [IT] infrastructure and puts significant challenges on the efficiencies of an IT environment. Your response times drag and business policies have to be wrapped around it."

Dan McMurtry, who was named president and chief executive officer of ISM early in 2001, declined to discuss the specific computer security measures in place for the Co-operators, Investors Group or any other ISM customer. He conceded, though, that as each customer contracts for different services, so each customer has different security requirements and agrees to pay for different levels of security.

"It's kind of like a level of insurance. What are you prepared to pay? As you evaluate the sensitivity and the nature and likelihood associated with encryption and all of those security measures do, I think, come down to a matter of cost," Mr. McMurtry said.

Ms. Kirwan, of Kasten Chase, said the incident should serve as a wake-up call for senior executives across Canada.

"Unfortunately, this is extremely commonplace. These issues are not brought up enough in terms of the value chain, in terms of things that have to be looked at. Companies you would expect to know better do not have information security policies in place; do not have people who are responsible for information; and there is a dissociation between senior management and security personnel," Ms. Kirwan said. "What we have to do is establish a culture of security in Corporate Canada."

David Akin is national business and technology correspondent for CTV News and a contributing writer to The Globe and Mail.

4 posted on 02/04/2003 11:50:56 PM PST by Timesink
[ Post Reply | Private Reply | To 3 | View Replies]

To: Timesink
Huh. Any chance the guys who stole that info did this one as well?

Phoenix - Pentagon Health Care Contractor Massive Military Medical Records Theft

5 posted on 02/04/2003 11:55:04 PM PST by csvset
[ Post Reply | Private Reply | To 2 | View Replies]

To: csvset
A good way to sell the info. Have some one steal it copy the hard drive.
6 posted on 02/05/2003 3:38:49 AM PST by riverrunner
[ Post Reply | Private Reply | To 5 | View Replies]

To: Timesink
This is nothing. We have a group right here in the good ole U.S.A. that has more information on it's own citizens than you can shake a stick at. And...they use that information routinely with other rogue groups within the government to "weed out" undesirables.

It's called the I.R.S.

7 posted on 02/05/2003 6:42:57 AM PST by unixfox (Close the borders, problem solved !)
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794 is powered by software copyright 2000-2008 John Robinson