Ottawa police and the federal Office of the Privacy Commissioner are investigating a significant data breach in the federal government after a device was stolen from Public Services and Procurement Canada.
All 227 employees affected are at Infrastructure Canada, but they weren’t notified until more than two weeks after the breach.
The device in question was stolen on Aug. 20, but affected but employees were only informed on Sept. 7.
In an e-mail sent late in the day on Sept, 7, PSPC’s Deputy Minister Marie Lemay said “no banking or social insurance information was affected. However, your name, person record identifier (PRI), date of birth, home address and salary range may have been on the stolen device.”
PSPC is Infrastructure Canada’s service provider for pay, pension and benefits.
Lemay’s e-mail states there is no reason to believe any information has been used for illegal purposes, but Ottawa police have been made aware of the incident.
According to the department, an employee filed a police report on Aug. 20 after the device in question was stolen. A supervisor was informed the following day.
Asked if the stolen information was encrypted, Pierre-Alain Bujold, a spokesperson for the department told Global News: “PSPC does not permit the use of unencrypted storage devices. An internal investigation is underway to examine why and how this happened and identify measures to ensure this does not happen again.”
While Ottawa police won’t confirm that an investigation has been launched until charges are laid, the Office of the Privacy Commissioner of Canada is looking into it.
“We can confirm that our office received a report about this breach from Public Service and Procurement Canada and we are analyzing the report,” said Corey Laroque, a spokesperson for the privacy commissioner.