Canadian elections breach releases 2.4 million voters' data
updated 07:31 pm EDT, Thu July 19, 2012
Data lost three months ago, commission announcement today
A pair of USB drives containing personal information on voters living in the Waterloo region of Southern Ontario were lost three months ago, according to general elections oversight group Elections Ontario. Greg Essensa, Elections Ontario's chief electoral officer, said that "I did not want to make an irresponsible public notification or worry Ontarians needlessly" in regards to the 2.4-million-person breach of personal data.
The loss is addressed as unprecedented by Ontario Privacy and Information Commissioner Ann Cavoukian. In an interview regarding the breach, she noted that the large number was "larger than the size of most provinces" and "quite massive in its scale."
Data lost includes full names, birth dates, addresses, gender, voting records, as well as any information volunteered by the voter during registration. Essensa said that specialized commercial software in addition to Elections Ontario internal software is required to access the data. Historically, thieves intent on data acquisition have found such "requirements" as only a brief roadblock, taking only days or weeks to decrypt protected files.
The data loss happened at about the same time as the Yahoo Voices breach, exposing more than 400,000 users and passwords in plain text; Android fan-forum Phandroid's losing control of nearly a million users' information; and social network Formspring's breach, which affected 420,000 users. Data harvested from multiple sources can be examined for commonalities, ultimately making it a a simple matter to attack e-commerce sites using duplicated credentials and stored credit card information.
Essensa says that he "take[s] this matter extremely seriously and I want to sincerely apologize to all Ontarians for any concern that this notification may cause." No financial record monitoring assistance has been offered to those affected (but closer surveillance of personal banking information has been suggested), nor has the full list of affected voters been released.
