Jim Flaherty defends FINTRAC over data breach of casino dealings
February 26th, 2013 - 8:13pm
By Jordan Press, Postmedia News
OTTAWA—Finance Minister Jim Flaherty defended the federal agency charged with stemming the flow of funds to terrorists and organized crime on Tuesday over a data loss that occurred late last year, saying the agency “hardly kept things secret” after information on Canadians was stolen out of a locked car.
It was the first time Flaherty had publicly talked about the data breach at the Financial Transaction Reports Analysis Centre, also known as FINTRAC. Flaherty had been prepared to talk publicly about the data loss in November after a data loss that potentially exposed the personal information of 777 Canadians, including how much they won and lost at two Alberta casinos.
In early November, Flaherty was given a question period note with background information and talking points in case he was asked about the data breach.
He was not.
On Tuesday, he read his question period notes after questions from the NDP regarding the breach, with accusations the government was trying to keep it a secret.
“Some months ago, FINTRAC took corrective steps to ensure this never happens again, including changes to the way it stores and transports information,” Flaherty said.
“FINTRAC did take action immediately when this occurred, which I believe was in November. It hardly kept things secret. It called the local police. It called the Privacy Commission. As I have already said, it contacted all of the affected businesses and individuals.”
In October, a locked briefcase containing an encrypted laptop and hard copies of two FINTRAC compliance reports were stolen out of the locked trunk of a rental car in broad daylight while a FINTRAC employee had left the vehicle in a Calgary parking lot, according to the November question period card obtained by Postmedia News. Also in the briefcase was a USB memory stick that wasn’t encrypted, a violation of government guidelines for securing and handling information.
Inside the locked briefcase was information on how two casinos and a “dealer in precious metals and stones” reported transactions to FINTRAC and how they kept client information, in accordance with federal laws combating money laundering and terrorist financing. There was no credit card or bank account information stolen, but other personal data on Canadians were on the pages of the reports that went missing, including “reference numbers of government issued identification” used to identify casino patrons and the amount they “spent or received” at the casinos.
In all, there was information on about 480 people on the laptop, and 290 more on the USB key or in the reports. All 777 affected individuals have been notified of the breach through registered letters.
A FINTRAC spokesman said Friday that the agency believes no one beside the employee could access the encrypted laptop, and would only say that appropriate actions have been taken against the employee involved in the breach.
The theft of information was a first for the agency, which has detailed privacy regulations built into the legislation guiding its operations.
“Protecting the private information of Canadians should be a priority but the Conservatives have repeatedly bungled these breaches. They have lost hard drives, lost USB keys and exposed the private information of thousands of people,” said NDP MP Murray Rankin.
The data breach at FINTRAC was one of three known to have taken place late last year inside the federal government, with two breaches taking place at Human Resources and Skills Development Canada (HRSDC). In one case, a lawyer working on the appeals of more than 5,000 disability pension applicants lost a USB flash drive on Nov. 16. The lawyer was on loan from Justice Canada, which is now under investigation by the privacy commissioner for the loss of the unprotected drive containing the personal information of the applicants, including social insurance numbers and medical information.
In the second case, HRSDC lost an external hard drive containing the personal information of about 583,000 Canada Student Loan borrowers. The drive was missing on Nov. 5, but was last accounted for in late August. The drive was neither encrypted nor password protected, and contained social insurance numbers.
Neither device has been found.
Questions to HRSDC about the status of the search for the devices were not answered Tuesday. The department also wouldn’t comment on what has happened to the employees involved in both data losses.
“The department is conducting an ongoing internal investigation on this matter. The department cannot comment on this matter,” a spokesman wrote in an email.