A hasty email inadvertently exposed the financial records of more than 1,000 Canada Student Loan borrowers, according to Northwest Territories Privacy Commissioner Andrew Fox.Blacklocks Reporter says the breach, caused by an oversight in the handling of email attachments, has raised serious privacy concerns.Fox detailed his investigation into the incident, which involved a hurried email mistakenly disclosing two years’ worth of financial records. "Fundamentally, the employee sending the email did not check the contents of the email attachments before sending the email," Fox explained. He noted that while the exact cause of the mistake remains unclear, it appears to have resulted from inattention."A moment’s inattention led to a privacy breach that affected 1,159 people," Fox stated. "Any time the employee saved by not double-checking the email attachments was far outweighed by the time and effort the department spent investigating the circumstances."The breach occurred when a student requested a record of their Canada Student Loan payments from the Territories’ Department of Education. In response, an employee attached three PDF files, one for each tax year from 2018 to 2020. While the 2019 file contained only the requested information, the 2018 and 2020 files included letters for all student loan clients who paid interest on their loans in those years."The 2018 file contained 848 letters. The 2020 file contained 786 letters. In all, 1,159 individuals were affected by the privacy breach," Fox reported. The email attachments listed borrowers’ names, addresses, and loan payment amounts. All affected individuals were subsequently contacted.The education department has since implemented stricter privacy controls. "The privacy breach occurred because of a mistake," Fox emphasized.This incident is reminiscent of the largest known breach involving Canada Student Loan borrowers, which occurred in 2012 at a federal Department of Employment office in Gatineau, Quebec. In that case, a portable hard drive containing personal information on 583,000 borrowers vanished from an unlocked filing cabinet. The unencrypted files included names, birth dates, Social Insurance Numbers, addresses, and loan balances, and the department delayed notifying the RCMP for five months. The hard drive was never recovered.A federal judge approved a $17.5 million class action settlement in 2017 related to the 2012 breach. "It remains unclear whether the drive was stolen, merely lost, or destroyed," wrote Federal Court Justice Jocelyne Gagné in 2018. Despite two main investigations, the cause of the data loss was never determined.
