A federal agency has lost a portable hard drive containing personal information about more than half a million people who took out student loans.
Human Resources and Skills Development Canada said Friday the device contained data on 583,000 Canada Student Loans Program borrowers from 2000 to 2006.
The missing files include student names, social insurance numbers, dates of birth, contact information and loan balances of borrowers, as well as the personal contact information of 250 department employees.
Borrowers from Quebec, Nunavut and the Northwest Territories during this time period are not affected.
No banking or medical information was on the portable device.
Human Resources Minister Diane Finley said she has called on the RCMP to assist with the incident, “given its serious nature.”
“I want all Canadians to know that I have expressed my disappointment to departmental officials at this unacceptable and avoidable incident in handling Canadians’ personal information,” she said in a statement.
In addition, the office of the federal privacy commissioner announced Friday it would investigate.
The department is sending letters to affected people, for whom it has current contact information, to advise them on how to protect their personal information.
A toll-free number has been set-up at 1-866-885-1866 (or 1-416-572-1113 for those outside of North America) for individuals to determine if they are affected.
“It’s definitely unfortunate,” said Adam Awad, national chairman of the Canadian Federation of Students, which received a briefing on the loss.
“It highlights how easy it is for information in today’s age to be misplaced, to be misappropriated, to be stolen — if that’s what the case was.”
The group is “very appreciative” of the steps taken to deal with the breach, he added.
The federation was assured that federal officials who deal with social insurance numbers have been put on alert to watch for activity concerning the numbers of those whose files have been lost, Mr. Awad said.
The loss of the hard drive from an office in Gatineau, Que., came to light as the department looked into another breach — a missing USB key containing the personal information of more than 5,000 Canadians.
The privacy commissioner’s office has already begun a probe of that incident, which was publicized last month.
Human Resources says that while there is no evidence any of the information in the latest breach has been used for fraudulent purposes, an extensive search for the hard drive continues.
In her statement, Ms. Finley said she had directed officials to take immediate action to ensure “that such an unnecessary situation” does not happen again.
She has requested that departmental employees across Canada receive information about “the seriousness of these recent incidents” and that they participate in mandatory training on a new security policy.
The new policy immediately bans portable hard drives within the department. In addition, unapproved USB keys are not to be connected to the computer network.
All portable security devices will be assessed for the risk they pose, to ensure that appropriate safeguards are in place.
New data-loss prevention technology — which can control or prevent the transfer of sensitive information — will also be introduced.
Finally, staff will be subject to disciplinary measures, including possible firing, should privacy and security codes not be followed.
Alyson Queen, a spokeswoman for the minister, said the Mounties were contacted Monday. “They will determine what further steps are required.”Report Typo/Error