How secure is a 'strong password'? Not very, experts say

Laptop Containing Health Data of 33,000 N.W.T. Residents Stolen in Ottawa

Article by CBC News · Posted: Jun 29, 2018

A cyber-security expert weighs in on how hard it is to crack an unencrypted laptop, like the one that was stolen in Ottawa in May. (CBC)

Incident Overview

The computer skills of a laptop thief in Ottawa may be the only determining factor on whether the health-care information of 33,000 Northwest Territories residents is compromised.

The laptop was stolen from a vehicle in Ottawa on May 9, according to the territory's health department. It contained data on patients and their health histories, covering approximately 80 per cent of the population. For some, that information included their history of infectious disease.

Related Headlines:

• Stolen laptop had health data for 80% of N.W.T. residents
• New details on Inuvik hospital data breach revealed in Privacy Commissioner's annual report

Officials with the Department of Health and Social Services provided information about the breach on Thursday through a statement and teleconference. In both, they said the laptop was not encrypted, but it did contain a "strong password".

Experts Weigh In

Joe Mayer, Vice-President of Toronto-based Identos, a mobile security firm:

"It might keep you and me out, if we were just clicking on the keys," explained Mayer.
"Anyone with some level of sophistication could get into most systems that are only password-protected."

For Mayer, the issue involved in this breach is the lack of encryption on the device.

"It sounds like many of the right steps were taken, but one key piece was not," he said.
"That's to encrypt the data, to encrypt the hard drive so that in the event this were to happen, no one would get access to the data itself."

Devices used by the health department are supposed to have that encryption, but the laptop stolen in Ottawa was part of a pilot program of new laptops, and either they were missed or the encryption process failed, according to a statement from the territorial government.

Robert Biddle, Computer Science Professor, Carleton University:

"If someone can bypass the locked door and go in through a window, they can steal other things that you have there."

Failing to encrypt a device is like leaving an unlocked window in an otherwise secure house, Biddle explained.

"The alternative is if you've encrypted your hard drive ... even if they could bypass the password and crack the hard drive, there isn't much for them to do with it."

For both Mayer and Biddle, the key to protecting data is encryption, and following through on keeping device security up to date.

Elaine Keenan-Bengts, Northwest Territories Information and Privacy Commissioner

Keenan-Bengts has been reporting on data breaches within the health department for years, making note of issues in annual reports.

Related Incidents:

• Patient records breached 8 times in 2015-2016, confirms N.W.T. health dept.
• Privacy breach at Hay River clinic prompts discovery of 41 'irregularities' with patient files

The department notified her of the latest breach. She acknowledged that it's "disturbing that most of the N.W.T. is affected" by it and said she will be investigating what happened.

"People who work in the health department are human," she said.
"As long as humans work with data, there will be breaches."

Want to Know More?

Feel free to visit the Encryption as a Service pages or get in touch!