City hall suffers second privacy breach of 2015
By Joel Wittnebel/The Oshawa Express
A worn piece of equipment is being blamed for the most recent privacy breach at the City of Oshawa that could affect as many as 18 people.
Letters detailing the tax information of people who are part of the city’s pre-authorized payment plan (PAP) for their taxes may have had their notice double-stuffed inside someone else’s due to the malfunctioning machine.
Staff were alerted to the potential breach on Dec. 1, when it became clear that the number of letters delivered by Canada Post did not match up with the number that was supposed to have been sent out.
Sandra Kranc, the city’s clerk, explains the city is now looking to advise everyone in the program – approximately 13,000 people – about the breach and locate those who may have received someone else’s letter along with their own. However, determining which letters it was is like finding a needle in a haystack.
“We have no idea which ones it was,” Kranc says.
Along with notifying the Information and Privacy Commissioner (IPC) of the breach, as per the city’s privacy breach protocol, city staff are also working on their own investigation.
And while the piece of machinery has since been fixed, Kranc says the city’s print shop has also taken further steps to ensure this doesn’t happen again.
“They’re also taking preemptive measures in the future. Rather than doing a batch of 13,000, they’re breaking the batches down into 500 to manage them a bit more and make sure the numbers match up at the end,” she says.
The city advises that if you’re enrolled in the PAP program and have yet to receive your notification of your 2016 tax amount, or if you received someone else’s notice along with your own, contact Joanna Kurowski, the city’s records and information analyst, at (905) 436-3311 ext. 2478 or by email at jkurowski@oshawa.ca
No banking or credit card information was released in the breach.
This breach is the second Oshawa has seen in 2015.
The first occurred in the city’s recreation and cultural services branch in June, when more than 1,000 email addresses were shared accidentally, as a result of the department’s email list being shared in the CC field – which is visible in any email – instead of the BCC field – which is hidden.