RCMP thumb drive with informant, witness data obtained by criminals: watchdog
The Royal Canadian Mounted Police (RCMP) recently faced a major privacy breach when they lost a USB key containing personal information about victims, witnesses, informants, and other individuals. This breach came to light when criminals began offering the stolen data for sale on the black market. The Office of the Privacy Commissioner of Canada conducted a detailed investigation into the incident after the RCMP reported it in March 2022.
According to the report, the unencrypted USB key contained the personal information of 1,741 individuals, including subjects of interest, informants, police officers, and civilian employees. Shockingly, only some of the documents on the device were password protected, and the device itself did not have any encryption or password protection in place.
The RCMP learned about the data being offered for sale three weeks after the loss from a confidential source within the criminal community. This revelation raised concerns about the security measures in place within the RCMP to safeguard sensitive information. The Privacy Commissioner’s report found that the RCMP violated the Privacy Act by disclosing personal information without consent and failing to report the loss in a timely manner.
While the RCMP’s response to the breach and their notification to affected individuals were deemed appropriate, the office concluded that the RCMP did not take adequate measures to protect the personal information in the first place. As a result, the Privacy Commissioner recommended that the RCMP implement strict security measures for the use of USB storage devices, including audits to ensure the safe return of devices and additional training for employees.
In response to the recommendations, the RCMP initiated a review of its security and privacy policies and implemented an awareness program to remind employees of their responsibilities to protect sensitive information. The force also committed to preventing the use of unauthorized and unencrypted USB storage devices and implementing appropriate measures across the country to prevent future breaches.
Overall, the privacy breach incident served as a wake-up call for the RCMP to strengthen their security measures and ensure the protection of personal information. By taking proactive steps to address the recommendations laid out by the Privacy Commissioner, the RCMP aims to prevent similar incidents in the future and safeguard the privacy of individuals involved in law enforcement activities.
