Here’s a case of an institution that seemed to do everything right, yet still ended up on the wrong side of a data breach. Bow Valley College (in Alberta, Canada), planned to get rid of 12 of its servers. Aware of the environmental and privacy-related concerns that come with such an undertaking, it hired a local nonprofit, the Electronic Recycling Association of Alberta (ERA), to carry out the data wipe, as well as properly dispose of the servers afterwards. In an act of impressive due diligence, the college even “toured ERA’s facilities and was satisfied with the ERA’s processes.” You should be able to see where this is going, and if you can’t, read this old IT-Lex post for a hint. From the snIP/ITs blog

Four months later, a purchaser of one of the decommissioned servers booted it up and found personal information (including SIN numbers, credit card numbers, and salaries) of 189,900 students and 3,500 employees of BVC [the college] spanning almost 20 years. Over the next few months, the Commissioner received complaints from 28 individuals affected. … [The college] reviewed all the information on … recovered servers to identify the affected individuals and sent out letters to each of them. It also sent emails, set up a telephone number and an email address for information and in some cases, set up face-to-face meetings. It advised affected individuals of their right to make a complaint to the Commissioner and apologized. BVC estimated that its cost to respond to this incident cost over $247,000.

The “Commissioner” referred to here is the Information and Privacy Commissioner of Alberta, who earlier this summer found that, despite touring the facility and seeking out a specialist third-party to handle the data deletion, the college had not done enough to prevent this data breach. In her opinion, the Portfolio Officer found that: 

BVC had no signed contract or agreement in place with ERA. In addition, although BVC was charged for “pick-up” it received no invoice for data wiping charges, or certificates to confirm that the data was wiped, or written assurance that the devices were physically destroyed.

However, the Officer also found that BVC’s response after learning of the breach was sufficient to let it off the hook from further punishment: it had “made reasonable arrangements to prevent a similar recurrence”, and “apologized to the affected individuals.”

The lesson here is that data security is no joke, and even an entity like BVC, which seemed to be proactive and diligent in its work to appropriately clear its servers, can still be found lacking. Be extra careful when hiring third parties to clear your drives, and, of course, always try to have something in writing.