University says sorry to theft victims
Jan 12 2012
The Administrative Services Building at the University of Victoria. Thieves broke in and stole a storage device that contained employee names, payroll information and social insurance numbers.Photograph by: Adrian Lam, timescolonist.com
The University of Victoria issued an apology Wednesday for a security breach in which the unencrypted personal information of nearly 12,000 current and former employees was stolen from an administration building last weekend.
Speaking publicly for the first time since the incident, president David Turpin announced that an outside agency will review how thieves were able to obtain the names, payroll information and social insurance numbers of UVic employees dating back to Jan. 1, 2010.
"I want to apologize on behalf of the university and on behalf of myself personally to the over 11,000 people that have been affected by this breach," Turpin said in a telephone interview.
"It's caused great inconvenience and frustration and I want to acknowledge that."
Turpin said the stolen data were backup information so that people could be paid in the case of a catastrophic event such as an earthquake.
"It was in a locked box within a locked safe, which was bolted to the floor, in a locked room in a locked building," he said.
The material was stolen along with laptops, handheld electronics, cheques and a small amount of cash. An employee discovered the theft Sunday afternoon, but Saanich police have said it does not appear that thieves targeted the employees' personal information.
B.C.'s Office of the Information and Privacy Commissioner has also launched an investigation to determine whether the university contravened any standards by keeping unencrypted personal information on a mobile device.
Privacy commissioner Elizabeth Denham said this week that in similar situations she has ordered the encryption of sensitive material stored on mobile devices.
Turpin said the university will develop the terms of reference for its external review in co-operation with the privacy commissioner's office.
"When we have a breach of this sort, it's important that we understand what happened and what we could have done better," he said.
The university has yet to select the person or agency to conduct the review, and Turpin was unable to say how soon that would happen.
"We'll wait until we've got the full terms of reference before we make a selection."
The review's findings will be provided to the privacy commissioner, and part of the final report will be released to the public.
"There are going to be some recommendations that we're not going to be able to share," Turpin said.
"You do not want to outline how you are protecting information and what sort of security things you're putting in place. But there will be important parts of this report that will be made available."
In a letter to employees Wednesday, Turpin said the university has hired security experts from Deloitte and Touche LLP to provide advice.
The university notified employees of the breach Monday and advised them to contact their banks and credit agencies.
The Professional Employees Association, which represents UVic's administrative and academic professionals, welcomed Turpin's apology. But executive director Scott McCannell said the association continues to question how the incident could have happened in the first place.
"Certainly some of our members with expertise in related fields have indicated that data encryption is something that is commonplace," he said.
"So it's definitely a significant issue. I think an apology is useful, but again for our members, they're obviously very, very concerned."
McCannell said the association will insist that the university cover any expenses that employees incur now or down the road as a result of the breach.
"We also expect to share in the findings of the Office of the Privacy Commissioner as well as any internal investigations," he said.