TORONTO -- Elections Ontario failed to enact security measures after it lost two USB keys containing the unencrypted personal data of up to 2.4 million voters, privacy commissioner Ann Cavoukian said Tuesday.
Elections Ontario discovered the "massive breach" when two memory sticks went missing in late April, but it didn't tell the public until July 17, prompting investigations by the information and privacy commissioner and provincial police.
The agency went right back to using USB keys without enabling the encryption software just four days after realizing it had lost the two other data storage devices, said Cavoukian.
"Remarkably, despite the experience of the previous week and the resulting anxiety over lost data, the replacement USB keys were unencrypted," she said.
"And no thought was given to encrypting the laptops" which also contained portions of the voters' data.
The missing data keys include voters' full names, home addresses, date of birth, gender and whether they voted in the last election.
Elections Ontario's efforts "were totally inappropriate in light of the breach that had just occurred," added Cavoukian.
"Personal information is the currency in which Elections Ontario trades," she said.
"I am astounded at the failure of senior staff to address the security and technological challenges posed by the decision to locate the project off-site."
Elections Ontario set up a second location after last fall's election resulted in a minority government, because it had to prepare for the possibility of another snap election while also doing its usual post-election updating of the voters' lists.
However, staff at the second location did not have access to the Elections Ontario server, so they used portable USB keys to move the data back and forth.
The USB keys were never locked away as they were supposed to be, the encryption software was never enacted to protect voters' data, and it turns out staff thought putting a password on the file would protect the information.
"They had no understanding of the meaning of encryption," concluded Cavoukian.
When they resumed work after losing the two USB keys, the Elections Ontario staff again failed to use available encryption software even though there were no security measures in place.
"These measures were totally inadequate and failed to address the glaring privacy risk raised by the loss of the keys," said Cavoukian.
"Most significant, the project resumed by using a replacement set of USB keys with an encryption functionality, it was never activated."
The commissioner also said it was discouraging to learn that privacy and security of personal information was not part of any training programs for staff at Elections Ontario.
A province-wide class action lawsuit has been launched against Elections Ontario regarding the loss of voters' personal information.