Phoenix pay system to blame for twice breaching public servants' private data, says deputy minister

Public servants had their private information breached twicewhenOttawa launched its new computerised pay system, the government said Thursday.

The deputy minister of Public Works,Marie Lemay, confirmed the incidentsin an open letter to staff posted on the department's websiteThursday afternoon.

The statementcomes two days after CBC News first reported on privacy problems caused by 'Phoenix'.

"Our Departmental Oversight Branch thoroughly reviewed these situations and determined that they posed low risk to employee privacy," Lemay wrote."There was no evidence that employee personal information ever left the hands of federal employees or government contractors."

• PHOENIX FALLING |Government casuals working contract to contract with no job security, no pay
• Some Arctic federal workers not getting isolation pay thanks to Phoenix glitch

The implementation of Phoenixhas also been blamed for significantpay problems affectingmore than 80,000 federal government employees.

Lemay'sletter saidthe first breach took place between Marchand Julyof 2015.

Employee names, pay amounts, and 'Personal Record Identifiers', known as (PRI),were "inadvertently used by IBM to test the system during the development phase of Phoenix," the postsaid.

"This information was immediately deleted as soon as the issue was detected. In addition, the employee information consisted of scrambled data that would have required technical expertise and significant time to make it readable."

The incident was reported to the Privacy Commissioner, and was published in the 2015-2016 annual report on the Privacy Act.

2nd breach

The second data breach involved managers having access to information about all federal government employees, between February and April of 2016.

• Phoenix pay system mess affects 80,000, government officials say
• Quebec veteran owed more than $12K due to Phoenix pay fiasco
• Trudeaucalls Phoenix pay problem an 'unacceptable situation'

The letter says several managers from four departments had access to information about employees in other departments.

"Contrary to what has been reported in the media, this breach involved only the names andPRIs of employees. These access issues were addressed, and system fixes were put in place to prevent further problems. TheOPCwas also made aware of this situation."

Union not notified of breaches

The union representing 140,000 public servants says it was not notified about either of the security breaches.

Chris Aylward, national vice-president of the Public Service Alliance of Canada, saidhe's particularly worriedabout the first exposure of data during IBM's test of Phoenix.

"It's obvious they used live information and actual employee information...so that is a concern now that a third party basically had access," Aylward told CBC News.

Aylward is demanding the departmentbe more forthcoming about exactly what datawas shared, and how many employees had their personal detailsexposed.

Public Works Minster Judy Foote's office saidthe breach involving IBM was reported to the Privacy Commissioner and published in the 2015-2016 Privacy Act.

Aylwardinsists the union should have been notified, and that workers shouldn't have to read the Privacy Act to see if they've been involved in a breach.

"This is unacceptable, this is total bureaucratic politicalcrap in my mind," he said.

Calls for additional precautions

Although government employees and contractors are required to abide by a code of values and ethics, one cyber-security expert saysthere can be trouble tracking what happens to this kind of data after an exposure.

Mark Nunnikhoven, the vice-president of cloud research at the online security firm Trend Micro, also has concerns about the breach.

"They needed a sample data set to verify whether the system was working correctly. So that's a common practice where you take data that looks like it would be similar to the end result to see how the system will react."

But Nunnikhovenexplained that onlyfake data should be used for testing purposes.

"They should have taken additional precautions and they shouldn't be using that type of data set in a test."

He did add that Ottawa should follow its own security practices.

"The good thing about the government of Canada is that it has a very strong framework for managing information security ...what they need to make sure that the external contractor and everyone involved on the technical side of the system is following this through."