CNA-Qatar salary, data breach in 2011 affected hundreds

The College of the North Atlantic campus in Qatar (CNA-Q) discovered two serious privacy breaches in the span of two weeks in late 2011, including one that saw the salary information of hundreds of employees inadvertently revealed.

That’s according to government records obtained through access to information by CBC Investigates.

The first breach was discovered on Nov. 21, 2011.

A CNA-Q description of the incident sent to the province’s Office of Public Engagement described what happened.

“A document posted to our HR intranet (word redacted) site contained information regarding individual employees and their respective salaries and their dates of birth,” the form noted.

“The document was developed specifically for the purpose of workers compensation and life insurance. We have been made aware that a number of employees have downloaded this document and have circulated it amongst other employees.”

CNA-Q indicated that about 600 employees were directly affected by the privacy breach.

The college noted that 25 other employees were impacted, but blacked out details about where they worked, citing an exemption related to potential harm to relations with a foreign government.

According to the incident description obtained by CBC Investigates, the breach occurred nearly a month before it was discovered.

CNA-Q officials removed the document from the intranet.

“Communication has (been) sent to all of our employees regarding the circulation of confidential information and specifically referencing the return of the document to HR and directing no further circulation of this document.”

2nd breach 2 weeks later 

Just two weeks after that privacy breach, college officials in Qatar reported a second incident to the provincial government.

The project manager for CNA-Q received an anonymous email that contained three attachments. Those documents appear to be sensitive ones — much of the information describing them has been redacted in records provided to CBC Investigates.

“Viewing of the items listed above has been restricted to CNA executive and senior management involved in the privacy breach process,” the college noted in a form sent to the Office of Public Engagement.

“The college was unsuccessful in its attempt to trace the anonymous email to its source.”

A half-dozen people were affected, including employees and their family members.

CNA-Q indicated it planned to report the matter to law enforcement.

Internal breaches, employees notified

There does not appear to have ever been public disclosure of the 2011 breaches. 

In an email to CBC Investigates, CNA director of public affairs Heidi Staeben-Simmons said the breaches were internal to employees at CNA-Q, and those involved were notified.

“The first breach involved the posting of employee information with regard to their private insurance coverage on a shared internal drive within CNA-Q,” Staeben-Simmons said.

Those involved in this situation were subject to progressive discipline as per the HR policies of CNA-Q.- Heidi Staeben-Simmons

“Those involved in this situation were subject to progressive discipline as per the HR policies of CNA-Q.”

Staeben-Simmons said the police were notified about the second breach, but it remains “an open or unresolved matter.”

She noted that CNA-Q “acted swiftly” in the wake of the two incidents, bringing in mandatory education and training for all staff, and adding a confidentiality clause to employment contracts, along with a dismissal clause should information be shared inappropriately.

The college also boosted electronic audit mechanisms and now requires dual signoffs before any potentially-sensitive information is posted to CNA-Q’s internal site, Staeben-Simmons said.