The federal government suffered a record-high 256 data breaches during the 12 month period ending March 31, highly-covered theft of data from Canada Revenue Agency in 2014 by a person who leveraged the Heartbleed vulnerability tp steal 900 social insurance numbers. Stephen Arthuro Solis-Reyes has been charged;

–During the reporting period the CRA realized that in 2012 and 2013 two of its employees improperly accessed almost 340 tax accounts. Staff were disciplined in an unspecified way, according to the report. CRA is strengthening its audit trail process.

The report includes an audit that found gaps in the federal government’s management of portable storage devices, such as memory sticks, are potentially putting the personal information of Canadians at risk. While Ottawa has policies, processes and controls related to portable storage devices, there is significant room for improvement in order to reduce the risk of privacy breaches, the report says.

The audit, which included a detailed examination of 17 institutions, identified a number of concerns, including:

• More than two-thirds (70 per cent) of the institutions had not formally assessed the risks surrounding the use of all types of portable storage devices.
• More than 90 per cent did not track all portable storage devices throughout their lifecycle.
• More than 85 per cent did not retain records verifying the secure destruction of data retained on surplus or defective portable storage devices.
• One-quarter did not enforce the use of encrypted USB storage devices.
• Two-thirds did not have technical controls in place to prevent the connection of unauthorized portable storage devices (for example, privately owned device) on their networks, and  more than half (55 per cent) had not assessed the risk to personal information resulting from the absence of such controls.

There were also weaknesses in the security settings to protect data held on smart phones at some of the audited entities. These included, for example, a lack of encryption, strong password controls, or controls to prevent users from installing unauthorized applications.

The audited institutions have accepted all recommendations made in the audit, the commissioners office said.

Related Download
Sponsor: EMC


Welcome To Your Agile Data Center
Download this white paper to learn how data centre teams can keep up with complex workflows and reduce costs by leveraging a dynamic data services platform.
Register Now