TORONTO - Elections Ontario staff who lost two memory sticks with the personal information of millions of voters did not encrypt the files because they didn't know what encryption meant, privacy commissioner Ann Cavoukian said Tuesday.
"They went online, they Googled it, and the closest they could discern was that encryption means zipping the data, which means compressing the data, not encrypting it," Cavoukian said at a press conference.
The missing USB keys included voters' full names, addresses, date of birth, gender and whether they voted in the last election ó information that is a "gold mine" for identity thieves, warned Cavoukian.
"Cases of identity theft often take well over a year before they transpire," she said.
"They lay low, wait until the story is yesterday's news, and then hit hard, so you have to be vigilant."
The lost data is from about 2.4 million voters in 20-25 electoral districts, but because Elections Ontario can't say which districts, four million voters in 49 ridings are being advised to keep an eye on their bank statements.
Elections Ontario discovered the "massive breach" in late April, when two memory sticks went missing, but it didn't tell the public until July 17, prompting investigations by the information and privacy commissioner and provincial police.
Even worse, said Cavoukian, the agency went right back to using USB keys without enabling the encryption software just four days after realizing it had lost the two other data storage devices.
"I hit the roof, as you might imagine," she said.
"On what planet do you do that, do you do the same thing again and not encrypt the data? Itís baffling to me."
Elections Ontario's efforts to protect voters' information "were totally inappropriate in light of the breach that had just occurred," added Cavoukian.
"Personal information is the currency in which Elections Ontario trades, their sole responsibility in terms of the electorate," she said.
"I am astounded at the failure of senior staff to address the security and technological challenges posed by the decision to locate the project off-site."
Elections Ontario rented an off-site warehouse after last fall's election resulted in a minority government, because it had to prepare for the possibility of another snap election while also doing its usual post-election updating of the voters' lists.
However, staff at the second location did not have access to the Elections Ontario server, so they used portable USB keys to move the data back and forth.
The USB keys were never locked away as they were supposed to be, the encryption software was never enacted to protect voters' data, and it turns out staff thought putting a password on the file would protect the information.
"They had no understanding of the meaning of encryption," concluded Cavoukian.
When they resumed work after losing the two USB keys, the Elections Ontario staff again failed to use available encryption software even though there were new security measures in place.
"These measures were totally inadequate and failed to address the glaring privacy risk raised by the loss of the keys," said Cavoukian.
"Most significant, the project resumed by using a replacement set of USB keys with an encryption functionality, it was never activated."
Chief Electoral Officer Greg Essensa was unavailable to comment on Cavoukian's investigation, but his office issued a statement saying the agency will issue a report by the end of the year on how it will implement the commissioner's recommendations.
The commissioner also said it was discouraging to learn that privacy and security of personal information was not part of any training programs for staff at Elections Ontario.
A province-wide class action lawsuit has been launched against Elections Ontario regarding the loss of voters' personal information.