Identity Theft & security flaw!! ” how safe is your information ? hard drive containing 583,000 student loan records is lost”

Posted on January 21, 2013


After Canada Student Loans admitted to losing a portable hard drive containing the private information of 583,000 Canadians, at least two law firms have begun class action proceedings – is your information in your hands or is it compromised? when it comes to the Internet in digital information age….unprotected device.

Hard drive containing 583,000 student loan records missing

The RCMP are looking into how a hard drive containing the personal information of 583,000 student loan borrowers, including social insurance numbers, went missing from a Gatineau, Que., office in November last year and students were compromised.

Canadian law firms is the latest to launch a multi-million-dollar, class-action lawsuit on behalf of nearly 583,000 individuals,  whose personal data was lost by Human Resources Toronto Canada

Strosberg Sutts, Strosberg LLP in Windsor, Ont., along with Branch Macmaster LLP of Vancouver and Falconer Charney LLP of Toronto have jointly opened the case and similar  suits have been launched in Newfoundland, Ottawa and Calgary.

Last November 2012 , a portable hard drive vanished from Human Resources Canada. It contained personal information about 583,000 people who received Canada Student Loans between 2000 and 2006.

Names, birthdates, loan balances and social insurance numbers went missing. Personal contact information for 250 HRSDC employees is also missing.

The government said no banking or medical information was on the hard drive.

“Borrowers may be entitled to compensation for the breach of their privacy, damages for identity theft and/or damages to their credit reputation, damages for the costs incurred to prevent identity theft, damages for the time spent changing your personal information such as your Social Insurance Number, damages for emotional distress/inconvenience, and/or compensation for out of pocket expenses,” reads a message on Branch Macmaster’s website. “Punitive damages will also be claimed because the Government failed to disclose the breach of privacy for two months.”

The data went missing on Nov. 5, 2012, but the public wasn’t notified about the incident until Jan. 11 of this year.

  • More than 40,000 students who went to the University of Windsor alone took loans between 2000 and 2006, the years affected by the lost information. At St. Clair College, also in Windsor, at least 10,000 students took out OSAP loans during that time.

One of the  student from Windsor had concerns and worries about identity theft.

Bob Buckingham a lawyer,  filed a statement of claim Jan. 17 on behalf of all the affected Canadians.

Buckingham said a lawsuit would push the government to cover credit protection safeguards for the affected Canadians and compensate them for the stress and fear of those involved.

A spokeswoman for Human Resources and Skills Development Canada said people can ask the government to request a free credit report from a credit bureau be mailed to them, and can also ask that their social insurance number be flagged in the event unusual activity is noted. Neither of these options will provide real-time credit updates, however.

Canada’s assistant privacy commissioner, Chantal Bernier, said the loss of so much personal data is “unprecedented,” adding that her office is investigating the incident.

“This is one of the biggest breaches we’ve ever seen,” Bernier told CBC News.


Dawson College Student Expelled After Bringing Web Vulnerability to School’s Attention – After two computer science students found an exploit in the Omnivox Web Portal, they brought it to the attention of the authorities. However, a few days later, one of the students ran the Acutenix Web exploit testing kit to test the portal, an act the developer considered a cyber attack. The school determined he violated codes of professionalism, and was  expelled.

The College computer science student “who actually got expelled” just because he discovered a problem and he was accused for a security breach.

He  has been offered a scholarship by the company behind the software.

20-year-old Ahmed Al-Khabaz was working on a mobile app to allow students easier access to their college account, but in the process he and a colleague discovered what they describe as “sloppy coding” which would allow easy access to personal information listed on the system. Al-Khabaz said the flaw would make it possible for anyone with basic knowledge of computers to gain access to social insurance numbers, phone numbers, home addresses and even class schedules.

“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” said Al-Khabaz. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”

The college tech director praised Al-Khabaz and his colleague Ovidiu Mija for their work and promised that he would work with Skytech, the makers of the system, to address the flaws. However, two days later Al-Khabaz ran another security check to make sure the problems were corrected and a few minutes later he got a call from Edouard Teza, the president of Skytech.

Teza told Al-Khabaz that what he was doing was tantamount to a cyber attack and then went on to threaten him with criminal charges and arrest.

“I apologised, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement,” said Al-Khabaz.

In the end, Al-Khabaz was expelled and the NDA prevents him from discussing confidential information he found on Skytech servers, or any information relating to Skytech, under pain of further legal consequences.

Taza told the National Post that he did contact Al-Khabaz and that he “mentioned” police and legal consequences, but did not make any threats, as if “mentioning” legal action and involving the police is not a threat.

“We will offer him a scholarship so he can finish his diploma in the private sector,” said Edouard Taza, the president of Skytech.

‘Dawson College should be thankful for his talent and foresight. They must immediately reinstate Hamed, refund the debt he has incurred as a result of his unjust expulsion and offer him a public apology.’—Morgan Crockett, The Dawson Student Union’s director of internal affairs and advocacy

Taza said he also reached out to Hamed Al-Khabaz, 20, and offered him a part-time job in information technology security.  source :CBC News


More on  the case in “Canada Student Loans faces class action lawsuits over massive privacy breach”

Privacy from an end point is a critical issue for all users of the Internet !!!!!! are we all protected when it comes to many of our end point rights and safety for our children and students? you  decide as a parent -our kids have grown up in the digital age.

Legal threats over data breaches come as government ponders new ways to secure information

read full story

This story is part of these discussions

Posted in: Uncategorized