University of Victoria Data Breach (2012)

Stolen information affecting the bank accounts of thousands of people would never have ended up in the hands of thieves if an existing policy was followed at the University of Victoria. Before assigning blame, the school wants to wait for two reviews looking into whether an employee failed to follow policy by backing up confidential employee information to a device stolen 10 days ago. According to UVic’s Information Security Policy, data such as social insurance numbers and financial information must be stored within a controlled-access system with the file being password protected or encrypted. The device must also be locked away. The university has said the information on the stolen device was not encrypted or password protected, though it was locked up.