Here’s a breach from almost one year ago that I had missed until this follow-up report. Michael Franklin reports:
An investigator into a possible leak of personal information of nearly 200,000 Bow Valley students has found that the institution had indeed failed to protect that information.
However, it also says that the school took reasonable steps to protect it and prevent a recurrence once the leak was discovered.
On September 19, 2012, an individual notified the Information and Privacy Commissioner about the purchase of a used computer server.
The server was one of 21 decommissioned servers that were scheduled to be picked up by the Electronic Recycling Association (ERA).
It contained personal information of approximately 183,900 students and 3,500 staff.
According to the OIPC report, in the course of its investigation, Bow Valley College (BVC) found that:
personal information of approximately 183,900 students and 3,500 employees over a nineteen year period (from 1991 to 2010) was on the purchased server. The personal information varied by individual, and included: names, email addresses, home addresses, phone number(s), DOB, SIN, BVC ID numbers, Alberta Education Student numbers, credit card numbers with expiry dates, salary, etc.
Although BVC originally stated that “The decommissioned computer server had been sent by the College to an electronic recycler contracted to wipe the server of all data prior to them disposing of it,” investigation by the OIPC reported:
ERA confirmed that BVC requested a pick-up service and ERA picked up the decommissioned servers on May 1, 2012. ERA said BVC did not request data wiping services, or tell ERA that there was data on the equipment. ERA’s May 1, 2012 invoice to BVC is for pick-up charges only, and does not include any charges for data wiping. (emphasis added by DataBreaches.net)
ERA said it does have formal written agreements with clients to provide data wiping and other specified services. ERA provided this Office with a copy of its template for its “Service Agreement”. However, ERA also said that they have no formal agreements in place with BVC, “and we have never guaranteed any services to them, in writing or otherwise…”
The College’s original breach disclosure from October 2012 can be found on their site, here. Media coverage at that time can be found in the Calgary Herald. The Alberta OIPC investigative report can be found here.