County data breach

Monte Sonnenberg

By Monte Sonnenberg, Simcoe Reformer


Norfolk County employees are monitoring their bank accounts and financial transactions following a serious data breach earlier this year.

On March 29, a county employee noticed detailed personal information on nearly 800 county employees was freely available on an internal Norfolk website. The file contained names, addresses, telephone numbers, social insurance numbers, birth dates, and direct deposit banking information related to county employees.

According to a "personal and confidential" letter delivered to affected employees at the end of April, the security breach was corrected 20 minutes after it was discovered. In her letter, Katherine Bristol, Norfolk's information co-ordinator, said senior county management wasn't informed of the breach until April 22.

Tuesday, Kandy Webb, Norfolk's general manager of employee and business services, confirmed that an internal review of the breach is underway.

"The investigation is ongoing," Webb said. "At no time was the information accessible to anyone in the public."

Employees have been told that the breach occurred when the security of the file was changed to open access as it was transferred from the county payroll system to an internal site connected to Norfolk's human resources department. To the best of the county's knowledge, the breach was inadvertent and no employee has been harmed as a result.

"It's upsetting that it happened," Mayor Charlie Luke said Tuesday. "It doesn't matter if it involved one employee or all of them. The good thing in this situation is that no one was trying to hack the county's records. It was internally corrected within 20 minutes of it being noticed. No one has reported anything involving their banks or identity theft."

The Office of the Information and Privacy Commissioner of Ontario has been notified of the incident. The commissioner's office recommended that each employee receive a registered letter informing them that their information was compromised. With registered letters costing $11 each, Norfolk opted instead to have the letters hand delivered by courier.

"It's one of those things where you come into work one morning and it's a nightmare," Luke said. "You ask `How did this happen?'"

Webb can't say at this point whether the findings of her probe will come to Norfolk council in public session or as an internal report that will be shared in camera.

In the meantime, the county has advised affected workers to inform their banks, credit card companies and relevant government agencies of the breach. They have also been advised to monitor their finances for suspicious activity.