Student loan privacy breach sparks class-action lawsuit
Half a million borrowers' personal information on missing hard drive
January 19, 2013, 4:55 PM AST
Last updated February 3, 2013, 10:18 PM AST
“I regret to inform you that you have been affected by the incident,” says a representative of Human Resources and Skills Development.
It’s chilling language and the smooth jazz on the phone hold-line can’t gloss the fact my Social Insurance Number, address and loan amount could now be in someone else’s hands.
Canada Student Loans lost a portable hard drive with more than 583,000 loan borrowers’ unencrypted personal data. The situation is being investigated by the federal privacy commissioner and was brought to light during the investigation of another breach, a USB stick with 5,000 Canadians’ information.
Sean Hooper, a University of Windsor graduate with information on the lost drive, told the Toronto Star he’s wary of governmental response.
“If this were a private industry handling personal information, there would be serious repercussions from all sides, including loss of business/clientele and government intervention,” he says.
For those affected who won’t take the breach sitting down, Newfoundland lawyer Bob Buckingham, who specializes in privacy law, brought a class action lawsuit against Canada Student Loans in federal court on Thursday, Jan. 17.
Buckingham says the gaffe is the “largest known privacy breach in Canadian history.”
He says he has been fielding requests in the thousands from borrowers wishing to join the lawsuit, and has quickly racked more than 2,700 followers on a Facebook page.
Buckingham and his supporters await government action.
Human Resources and Skills Development department minister Diane Finley expressed her disapointment with the breach in a statement on Jan. 11, saying her department was initiating “mandatory training on a new security policy to ensure that similar situations do not occur again.”
“As of now, no suspicious behaviour has been reported and your SIN number has been registered and will be monitored by the RCMP and the privacy commissioner,” says the representative for Finley’s department.
The data loss affects some half-a-million loan borrowers from 2000-2006. It’s a huge proportion of student borrowers, considering in 2003 there were 677,478 full-time post-secondary students, according to Statistics Canada. Borrowers who haven’t called the toll-free-number (1-866-885-1866), will be informed by a letter in the next week.
Simple security measures would have prevented the breach. Server storage is more secure than portable hard drives. You can’t easily steal a server, says John Bullock, the Information Security manager at Dalhousie University.
“The data centres’ housing servers are environmentally controlled and backed-up to help protect against loss or destruction.”
There hasn’t been an explanation for why such sensitive data wasn’t encrypted.
“Encryption is not difficult and the means to do so have been around for a long time,” says Bullock.
Affected students should check their credit report, says Bullock.
“Credit reporting agencies, such as Experian and TransUnion, have to give you at least one free credit report per year if you ask for it,” he says.
For now, concerned borrowers waiting on the investigation and legal action, can exercise a little prudence.
“Don’t give out more information than you need to,” Bullock advises. “Get in the habit of asking, ‘Why do you need that?’ We do need to provide ‘some’ information for services in life, but don’t let them over-reach.”