Canada's federal human resources department announced Monday (Jan. 14) that an unencrypted portable hard drive had been lost.
It contained the names, birth dates, contact information and Social Insurance Numbers (SINs) of 538,000 borrowers from a student-loan program — a bonanza for an identity thief.
The breach, which occurred in Gatineau, Quebec, also affected 250 government employees and, as Sophos' Naked Security blog pointed out, ironically affects residents of all Canadian provinces except Quebec.
The Social Insurance Numbers, which are similar to Social Security numbers in the United States, belong to Canadians who borrowed money from Human Resources and Skills Development Canada between 2000 and 2006.
"I have requested that HRSDC employees across Canada receive comprehensive communications on the seriousness of these recent incidents and that they participate in mandatory training on a new security policy to ensure that similar situations do not occur again," Diane Finley, the minister in charge, said in a statement.
"Further, I have instructed that the new policy contain disciplinary measures that will be implemented for staff, up to and including termination, should the strict codes of privacy and security not be followed."
Monday also brought news of another data breach in Victoria, British Columbia, in which 5 million provincial health records were accessed by medical researchers without authorization.
"We don't believe there is a great risk to individuals with this information, because there is no evidence at all that the information has been used for anything other than health research," British Columbia Health Minister Margaret MacDiarmid said. "I take this very seriously, but I do feel that I can be reassuring."
MacDiarmid said the data was mishandled on three separate occasions between October 2010 and June 2012.
In the most serious instance, the names, birth dates, personal health numbers and postal codes of more than 38,000 went missing on an unencrypted USB drive.
The lost information did not contain Social Insurance Numbers or financial information. The Canadian Press reported that seven people had already been fired, sparking a wrongful-dismissal lawsuit.
In neither instance were standard encryption practices followed.