Stolen N.W.T. laptop was among dozens that were unencrypted, and handed out to unsuspecting staff - Action News
Home WebMail Friday, November 22, 2024, 10:09 PM | Calgary | -11.4°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
NorthExclusive

Stolen N.W.T. laptop was among dozens that were unencrypted, and handed out to unsuspecting staff

A set of Lenovo Helix laptops were 'very difficult' to encrypt, but were handed out anyway to about 20 to 40 N.W.T. government employees, according to internal documents obtained by CBC News.

Qualifications of some IT staff and managers are questionable, according to source

A woman types on her laptop in a file photo from December 2016. The N.W.T. government's Technology Service Centre didn't encrypt a set of laptops back in 2013 and handed them out to government employees to use, according to internal documents obtained by CBC News. (Wilfredo Lee/Associated Press)

This is the final story onthe stolen laptop files. Here's Part 1 and Part 2.

The N.W.T. government's information technology division knew a set of laptops were "very difficult" to encrypt, but still handed it out for government staff to use in 2013, suggest internal documents obtained by CBC News.

One of those unencrypted laptops which potentially contained health data on nearly the entire territory's populationwas eventually stolen, according to the territorial government.

This information is contained in more than 350 pages of internal Department of Health and Social Services emails and documents discussing the stolen laptop health privacy breach, which CBC News obtained through the Access to Information Act.

Last May, the unencrypted laptop belonging to an employee with the Health Departmentwas stolen from a minivan in a parking garage inByWardMarket in downtown Ottawa.

This particular device was very difficult to encrypt, so it was issued without encryption.- N.W.T.'s chief health privacy officer, in aninternalemail

It's estimated the laptop had data on about 40,000 people from every province and territory in Canada, and likely had residents' sensitive health information about sexually transmitted infections and tuberculosis prognoses, among other diseases.

The laptop, which was used for statistical analysis, has not been found.

The laptopa Lenovo Helix tablet and laptop hybrid was one of about 20 to 40 purchased by the N.W.T. governmentin 2013"at senior management request," according to the documents.

Emails describe the Helix laptops as "very old equipment."

"Although this unit was quite old and is no longer available to [government] staff, there may be as many as 20 still in circulation," an internal email states from last June, after the theft.

"This creates a privacy risk for the [government] and any data held on those devices."

Alllaptopsissued by the government's Technology ServiceCentre (TSC), run under the Department of Infrastructure, are supposed to be encrypted, according to government officials.

Laptops 'very difficult' to encrypt

In the immediate aftermath of the theft, the Health Department "received a blanket statement" from the technology centre that all laptops are encrypted, according to internal emails.

[I] was not informed at any stage that they were not encrypted.- Health department employee whose government-issued laptop was stolen

But a further internal probe found that the government's Helix laptops were, in fact, not encrypted and werehanded out to staff without protections.

"We were initially told that all TSC-issued laptops and computers have full encryption," wrote the chief health privacy officer in an internal email.

"Subsequently, I have learned that TSC informed the individual (after the theft) that this particular device was very difficult to encrypt, so it was issued without encryption."

A file photo of Ottawa's ByWard Market. On May 9, 2018, someone broke into a rented Dodge Grand Caravan parked in the heart of Ottawa's downtown and stole an N.W.T. government device that potentially contained health data on the majority of the territory's population. (CBC)

The Helix laptops, which had a Windows 8 operating system,appear to have been incompatible with the government's encryption software at the time, according to an internalemail from the employee responsible for the stolen laptop.

She also said she had no idea the laptop was unencrypted.

"The encryption software available within the [government] was not compatible with those tablets and the tablets were not encrypted," wrote the employee in an internal email.

"This was not communicated to the 20 or 40 individuals who received them.

"[I] was not informed at any stage that they were not encrypted."

If we hired health-care professionals here the same way we hireIT people, anyone who can sew something can be a surgeon.- Current IT employee for the N.W.T. government

Additionally, the TSChas a process where itreplaces governmentlaptops every three to four years to ensure devices have the latest technology, according to its director.

But the health department employee's stolen laptop,purchasedin 2013, was not registered with the TSC's system,according to internal documents.

This means the stolen laptop was not flagged to the tech centre for replacing in 2017, the year before the theft.

IT staff unqualified, says source

According to a N.W.T. governmentemployee who currently works in information technology, some staff and managers within the government's IT division are unqualified to do their jobs. They said in some instances, staff don't haveIT degrees like computer science,but aresometimes transferred into their jobs through questionable internal hiring processes.

Difficult means you can still do it.- Current IT employee for the N.W.T. government

CBC News has agreed to withhold the identity of the IT employee, as they feel speaking out would put their job at risk.

"If we hired health-care professionals here the same way we hireIT people, anyone who can sew something can be a surgeon," said the IT employee.

An IT employee with the N.W.T. government says there's a correlation between IT staff's lack of qualifications and the unencrypted Helix laptops. (Chantal Dubuc/CBC)

The IT employee expressed disbelief about the emailssuggesting the laptops were "very difficult" to encrypt.

"I don't believe it. I can't," they said. "Difficult means you can still do it."

The IT employeeadded that qualification matters, especially when IT staff are dealing with practices like encryption of laptops.

"Theycould have [found] some alternate ways [for] encryption," the IT employeesaid. "There's so many software out there you can virtually encrypt anything."

Joe Mayer is the vice-president of Toronto-based Identos, a mobile security firm. (Submitted by Joe Mayer)

Joe Mayer, vice-president of Toronto-basedcompanyIdentos, says encryption should be elementary for IT staff.

"This is sort of basic stuff," said Mayer,whose companyspecializes in encryption ofmobile devices.

"These things just shouldn't be missed.And I think people usually get held accountable if this is the case."

Mayer said if tech staff knew the Lenovo Helix was difficult to encrypt, it should have been removed from government use immediately.

'High confidence' in IT staff

Last summer, the Health Department said that the encryption process either failed, missed or"was not detected" by the TSCin the case of the stolen laptop.

At the time the Helix tablet-laptop hybridswere purchased in 2013, the centre was not familiar with encrypting tablets,according toLaurieGault, director of the government's TSC.

"We had not previously worked on tablets," said Gault. "We had not tried [encryption] on these before."

A file photo of a Lenovo Yoga tablet released in 2013, the same year the company released the Helix laptop. The N.W.T.'s Technology Service Centre purchased the Helix tablet-laptop hybrids the same year. (Anand Ram/CBC)

Gaultsaid the techcentre laterintroduced specific encryption software for tabletsbetween 2014 and 2015.

There were one or two individuals involved in encrypting the Helix devices at that time, and theyhave "since left my department," said Gault.

When asked why the unencrypted laptops were handed out by her staff, she said "there was some urgent need for these. "

She added that her staff tested the laptops and that the Technology ServiceCentrerealized "after the fact" that the Helix laptops were unencrypted.

When asked if all IT staff and managers are qualified for their jobs, Gault deferred to Human Resources and said she has "high confidence" in her staff.

The Health Department said in an emailresponse that ever sincethe theft, the Technology ServiceCentre reviewed all Health Departmentlaptops to ensure they were encrypted.

The department added that the stolen laptop had a strong password.

Do you have any story ideas or tips? Contact priscilla.hwang@cbc.ca

With files from Alyssa Mosher