Student loan privacy breach sparks class-action lawsuit

Half a million borrowers' personal information on missing hard drive

“I regret to inform you that you have been affected by the incident,” says a representative of Human Resources and Skills Development.

It’s chilling language and the smooth jazz on the phone hold-line can’t gloss the fact my Social Insurance Number, address and loan amount could now be in someone else’s hands.

Canada Student Loans lost a portable hard drive with more than 583,000 loan borrowers’ unencrypted personal data. The situation is being investigated by the federal privacy commissioner and was brought to light during the investigation of another breach, a USB stick with 5,000 Canadians’ information.

Dianne Finley issues a departmental apology for the breach.
(Photo: Patrick Doyle, Canadian Press)

Sean Hooper, a University of Windsor graduate with information on the lost drive, told the Toronto Star he’s wary of governmental response.

“If this were a private industry handling personal information, there would be serious repercussions from all sides, including loss of business/clientele and government intervention,” he says.

For those affected who won’t take the breach sitting down, Newfoundland lawyer Bob Buckingham, who specializes in privacy law, brought a class action lawsuit against Canada Student Loans in federal court on Thursday, Jan. 17.

Buckingham says the gaffe is the “largest known privacy breach in Canadian history.”

He says he has been fielding requests in the thousands from borrowers wishing to join the lawsuit, and has quickly racked more than 2,700 followers on a Facebook page.

Buckingham and his supporters await government action.

Human Resources and Skills Development department minister Diane Finley expressed her disapointment with the breach in a statement on Jan. 11, saying her department was initiating “mandatory training on a new security policy to ensure that similar situations do not occur again.”

“As of now, no suspicious behaviour has been reported and your SIN number has been registered and will be monitored by the RCMP and the privacy commissioner,” says the representative for Finley’s department.

The data loss affects some half-a-million loan borrowers from 2000-2006. It’s a huge proportion of student borrowers, considering in 2003 there were 677,478 full-time post-secondary students, according to Statistics Canada. Borrowers who haven’t called the toll-free-number (1-866-885-1866), will be informed by a letter in the next week.

Simple security measures would have prevented the breach. Server storage is more secure than portable hard drives. You can’t easily steal a server, says John Bullock, the Information Security manager at Dalhousie University.

“The data centres’ housing servers are environmentally controlled and backed-up to help protect against loss or destruction.”

There hasn’t been an explanation for why such sensitive data wasn’t encrypted.

A portable hard drive is not a secure storage device for sensitive information. Wikipedia Creative Commons
A portable hard drive is not a secure storage device for sensitive information. (Photo: Wikipedia Creative Commons)

“Encryption is not difficult and the means to do so have been around for a long time,” says Bullock.

Affected students should check their credit report, says Bullock.

“Credit reporting agencies, such as Experian and TransUnion, have to give you at least one free credit report per year if you ask for it,” he says.

For now, concerned borrowers waiting on the investigation and legal action, can exercise a little prudence.

“Don’t give out more information than you need to,” Bullock advises. “Get in the habit of asking, ‘Why do you need that?’ We do need to provide ‘some’ information for services in life, but don’t let them over-reach.” 



2 thoughts on “Student loan privacy breach sparks class-action lawsuit

  1. We had 2 sons going through MUN at this time and we are concerned that our private information may be compromised.Please add our name to the investigation

  2. I want to be added into the investigation. Its not something to be taken lightly when your a single mom of 2 small children.

Comments are closed.