Security documents at risk on federal site: Audit

Feb. 16, 2003. 06:08 PM FROM CANADIAN PRESS Link(dead as of 10/28/06):
In a major security breach, Transport Canada posted up to 5,000 confidential documents - some related to airport security - on a widely accessible database that is vulnerable to hackers, a new audit has found. "The scale of error represents a significant contravention of government information security and privacy policy," says the internal audit of the department's new information system. The investigation determined that about one of every 10 documents in the department's giant database was confidential and should not have been available to every staff member in Transport Canada. The database is also likely susceptible to determined hackers, putting at risk between 4,000 and 5,000 items - including many secret documents that could harm Canada's national interests if disclosed. "Notable . . . were documents dealing with airport security matters subsequent to the September terrorist attacks" of 2001, says the report, citing an example. In one sampling, investigators readily obtained 17 national security documents marked "Secret" that could be easily viewed and printed. The audit report, dated Nov. 19, 2002, was obtained under the Access to Information Act. The report examines Transport Canada's new records management system, developed over two years and completed last fall. The department is among the first of 33 federal institutions that will eventually use the system to cope with the avalanche of paper civil servants produce each year. The government-wide project is being managed by Treasury Board. The system was originally intended to have an encryption system that would protect confidential material, but the additional software was never developed for reasons that remain unclear. Transport Canada employees nevertheless loaded the database with a vast amount of confidential material, including secret records detailing cabinet discussions, proposed legislation and national security matters. "Documents classified as secret would endanger national security, cause serious injury to the interests or prestige of the nation, or give substantial advantage to a foreign power," the report notes. The auditors found that Transport Canada officials rejected a proposal to instruct employees about the security classification of documents because it would have taken too much time. Instead, the department simply sent out an e-mail in late 2001 calling on them to be mindful of security designations. However, the auditors suggested lack of training was only part of the problem - many confidential documents appeared to have been posted out of carelessness. Citing several research studies, the report says Ottawa's ``Government On-Line" initiative could provide hackers with a window to illegally tap into sensitive databases. "Transport Canada's vulnerability to this type of access is likely similar," the authors wrote. Transport Canada officials were aware of the hacker threat as they implemented the new system but took no action, the report says. Spokesmen for the department did not respond to requests for comment on the findings of the audit. However, in a written response to the report, Transport Canada officials said they have since purged the database of confidential materials. The department also says it is conducting a threat and risk assessment to determine its vulnerability to hackers.

main page ATTRITION feedback