Education Ministry security failings blamed for massive student data breach

B.C.'s Education Ministry failed to properly provide adequate security surrounding the personal information of 3.4 million students and teachers, an investigation by the province's privacy commissioner has found.

"Organizations have to demonstrate executive leadership and communicate to staff that information assets are important, just like financial assets," Deputy Privacy Commissioner Jay Fedorak told CBC News Thursday.

• B.C. education data breach after unencrypted hard drive lost

The investigation was prompted after the ministry announced the loss of a hard drive containing students' information, including their name, gender, date of birth and Personal Education Number (PEN).

It also disclosed if students were cancer survivors, children in care, special needs, had withdrawn from school, or were post-secondary students receiving financial assistance.

The information lost also included some students' addresses, type of schooling and grades.

In her report into the data breach that affected 3.4 million students and teachers across B.C. and Yukon, Elizabeth Denham states that several ministry workers contravened a series of security policy directives and protocols by transferring information from the ministry server onto mobile hard drives, one of which was then lost.

The fact that the data transferred was unencrypted, and no inventory or back up of the hard drives were made, compounded the breach, the report states.

Better training, leadership needed

"The failure of the employees involved in the creation of the hard drives to follow clear privacy and information security policies indicated that the training the employees received was not effective," the report states. "It illustrated the need for better training, executive leadership and compliance monitoring."

The report states that once the breach was discovered, the ministry did provide adequate response, conducting searches for the missing drive, notifying the media, and contacting vulnerable groups.

The commissioner made nine recommendations designed to strengthen the ministry's security around personal information.

Education Minister Mike Bernier released a statement apologizing for the breach and noting the government must do a better job ensuring public servants receive adequate and ongoing training.