Remember the breach reported a few weeks ago when a Freedom of Information request uncovered that a Canada Revenue Agency employee had been mining the database to identity high-wealth individuals that she might recruit as customers for her side business? The individuals whose data were accessed were never notified of the incident because the government decided that there was no risk of injury. Dave Kearns uses that breach story in the Vancouver Sun to make a few points:
1) Why weren’t controls in place to prevent, or at least raise a flag, when an agent accessed files randomly? Were they at least audited?
2) Why did it take four years for someone to realize that there were shady dealings going on?
3) How did CRA determine the “risk of injury”?
4) Why aren’t the affected parties notified whenever there’s a breach?
Indeed.
Read more on Network World.