USB stick sold in Yukon pawn shop had personal data from Health ministry

Share post:

As Cybersecurity Awareness Month draws to a close, a data breach in Yukon is a reminder there’s a long way to go to make sure employees are cyber-aware in everything they do.

A Whitehorse man who bought a USB stick at a pawn shop plugged it into a computer and found the drive contained confidential case files from the Health and Social Services department of the territory’s government.

The data include confidential case files from the family and children’s services branch, including case assessments, reports, budgets, and personal contact information.

This week, Health Minister Tracy-Anne McPhee said the files were removed from the Health and Social Services system by a former employee, who had “abandoned” their belongings in a storage unit, the contents of which ended up being sold to a local pawn shop. She said the former employee was not authorized to take the information. Between 30 and 60 people were affected, she said.

It’s not uncommon for employees to copy sensitive corporate data to a removable drive, Theo Zafirakos, CISO of Terranova Security, a Laval, Que.-based security awareness training firm, said in an interview. Often employees do it so they can work from home or remotely.  “For it to be lost and found by somebody else, it happens, but we don’t hear about it as often,” he said, “perhaps because it may not be announced publicly.”

One of the most infamous incidents, he added, happened in the U.K. in 2017 when a USB stick found on a London street held security details for Heathrow International Airport— including security measures and travel details for Queen Elizabeth.

“We tend to blame technology,” Zafirakos said, “but it’s not technology, but how we use it that is often the trouble.” Staff must be told they can’t copy data onto removable drives, or if they have to, then the data must be encrypted or password-protected.

Some IT departments block the ports of desktop computers with hardware or software so USB devices can’t be plugged in. However, Zafirakos noted staff can get around that by emailing files to a personal email account.

Another solution is the implementation of data loss prevention software, which inventories sensitive data and then detects how it is being used, including if it is being emailed or copied.

It isn’t clear when the data was copied to the USB stick. According to a news report, the Health ministry made changes to its case management system that were fully implemented last November.

“If anybody wants to access that [information], they must access through a secure portal with a password and an identifier,” a department spokesperson told the CBC. Information cannot be seen or removed from those systems without going through that process.

“It could happen to anyone,” Zafirakos said. “It doesn’t mean one organization is less secure than another just because it happened to them. They were lucky … that the data did not fall into the wrong hands.”

The post USB stick sold in Yukon pawn shop had personal data from Health ministry first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, June 21, 2024 – US to ban Kaspersky for businesses, consumers

U.S. to ban the sale of Kaspersky products to consumers and businesses. Welcome to Cyber Security Today. It's Friday...

Biden administration to ban US sales of Kaspersky software over ties to Russia

The Biden administration is set to announce a ban on the sale of Kaspersky Lab's antivirus software in...

Security bug may allow anyone to spoof Microsoft employee emails

A security researcher claims to have discovered a bug that enables anyone to impersonate Microsoft corporate email accounts,...

Cyber Security Today, June 19, 2024 – How an attacker hid on an IT network for three years

How an attacker hid on an IT network for three years Welcome to Cyber Security Today. It's Wednesday June...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways