Phoenix pay system to blame for twice breaching public servants' private data, says deputy minister - Action News
Home WebMail Tuesday, November 26, 2024, 10:53 AM | Calgary | -16.2°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Politics

Phoenix pay system to blame for twice breaching public servants' private data, says deputy minister

The department of Public Works confirms there have been two separate data breaches involving the personal information of public servants as a result of the federal government's new computerized payroll system.

Deputy minister says data was scrambled, would have needed expertise and 'significant time to make readable'

IBM inadvertently used public servants' personal information for testing during the development phase of Phoenix. (Getty Images)

Public servants had their private information breached twicewhenOttawa launched its new computerised pay system, the government said Thursday.

The deputy minister of Public Works,Marie Lemay, confirmed the incidentsin an open letter to staff posted on the department's websiteThursday afternoon.

The statementcomes two days after CBC News first reported on privacy problems caused by 'Phoenix'.

"Our Departmental Oversight Branch thoroughly reviewed these situations and determined that they posed low risk to employee privacy," Lemay wrote."There was no evidence that employee personal information ever left the hands of federal employees or government contractors."

The implementation of Phoenixhas also been blamed for significantpay problems affectingmore than 80,000 federal government employees.

Lemay'sletter saidthe first breach took place between Marchand Julyof 2015.

Employee names, pay amounts, and 'Personal Record Identifiers', known as (PRI),were "inadvertently used by IBM to test the system during the development phase of Phoenix," the postsaid.

"This information was immediately deleted as soon as the issue was detected. In addition, the employee information consisted of scrambled data that would have required technical expertise and significant time to make it readable."

The incident was reported to the Privacy Commissioner, and was published in the 2015-2016 annual report on the Privacy Act.

2nd breach

The second data breach involved managers having access to information about all federal government employees, between February and April of 2016.

The letter says several managers from four departments had access to information about employees in other departments.

"Contrary to what has been reported in the media, this breach involved only the names andPRIs of employees. These access issues were addressed, and system fixes were put in place to prevent further problems. TheOPCwas also made aware of this situation."

Union not notified of breaches

The union representing 140,000 public servants says it was not notified about either of the security breaches.

Chris Aylward, national vice-president of the Public Service Alliance of Canada, saidhe's particularly worriedabout the first exposure of data during IBM's test of Phoenix.

"It's obvious they used live information and actual employee information...so that is a concern now that a third party basically had access," Aylward told CBC News.

Aylward is demanding the departmentbe more forthcoming about exactly what datawas shared, and how many employees had their personal detailsexposed.

Public Works Minster Judy Foote's office saidthe breach involving IBM was reported to the Privacy Commissioner and published in the 2015-2016 Privacy Act.

Aylwardinsists the union should have been notified, and that workers shouldn't have to read the Privacy Act to see if they've been involved in a breach.

"This is unacceptable, this is total bureaucratic politicalcrap in my mind," he said.

Calls for additional precautions

Although government employees and contractors are required to abide by a code of values and ethics, one cyber-security expert saysthere can be trouble tracking what happens to this kind of data after an exposure.

Mark Nunnikhoven, the vice-president of cloud research at the online security firm Trend Micro, also has concerns about the breach.

"They needed a sample data set to verify whether the system was working correctly. So that's a common practice where you take data that looks like it would be similar to the end result to see how the system will react."

But Nunnikhovenexplained that onlyfake data should be used for testing purposes.

"They should have taken additional precautions and they shouldn't be using that type of data set in a test."

He did add that Ottawa should follow its own security practices.

"The good thing about the government of Canada is that it has a very strong framework for managing information security ...what they need to make sure that the external contractor and everyone involved on the technical side of the system is following this through."