Elections Ontario is warning up to 2.4 million Ontarians could have their personal information released due to a recent security breach.
At Elections Canada’s Birchmount Road warehouse, two USB keys with voters’ names, home addresses, dates of birth and gender went missing, said media relations officer Sophie Auclair.
“They were left unsecured,” Auclair said.
When the two Elections Ontario employees returned the next day, the USB keys were gone. The two employees are no longer with the agency.
While Elections Ontario has alerted residents of 49 ridings, including Davenport, Don Valley East, Don Valley West, Etobicoke Centre, Etobicoke-Lakeshore, Toronto Centre and York Centre, only information from 20–25 have been compromised. However, it’s unknown which districts are affected.
The security breach has prompted a full internal review of the agency’s security policies, an OPP investigation and a review by Ontario’s Information and Privacy Commissioner, Ann Cavoukian.
“I am deeply disturbed that a breach of this extent, the largest in Ontario history, involving millions of individuals, could happen at Elections Ontario — the agency charged with protecting the integrity of our electoral process,” Cavoukian said in a release to the media.
The release also says the commissioner has repeatedly warned against storing sensitive information on mobile devices.
Elections Ontario policy states any data with personal information on a mobile device must be password-protected and encrypted. In this instance, that was not the case.
In a media release, the Chief Electoral Officer of Ontario, Greg Essensa, attempted to dispel fears of personal information being accessed.
“There is no evidence that copies of personal information on two USB keys have been improperly accessed,” he said. “And the data itself can only be accessed in an intelligible form using internal Elections Ontario proprietary software or specialized commercial software applications.”
He also pointed out the USB keys did not contain how people voted or their social insurance numbers, credit card information or any other personal information apart from names, home addresses, dates of birth, gender and if they voted in the last election.
But Queen’s University computer engineering professor, Thomas Dean, says fraudsters can still do a lot with limited information.
“There’s sort of some limits, but there’s a lot people can do with this information if they want to try and pursue it further,” he said.
For example, fraudsters could use one’s home address and full name to try and get someone’s bank account number.
“There’s a variety of ways,” Dean said. “They might call you and pretend to be some organization which you may or may not have business with (to get additional information).”
Elections Ontario is suggesting residents in affected districts monitor all transactions for any suspicious activity.
Elections Ontario’s chief electoral officer is expected to give a detailed report to the Ontario legislature by the end of the year.