A health establishment has opened an investigation after one of its executives asked dozens of employees to provide her with their passwords, so that she could enter their computer session.
“Management asks me to maintain a table with your Windows logins and passwords (to enter your session) [et] your voicemail passwords,” wrote an administrative assistant to 45 employees of the CISSS de la Montérégie-Ouest on Tuesday in an email obtained by our Investigation Office.
“Don’t worry, I won’t spread the news. It is only in case of need, if someone is on sick leave, ”continues the one who says she is writing on behalf of Karine Plante-Boulay, head of the Youth Mental Health program at the CISSS-MO.
The organization confirmed that an internal investigation had been opened following the incident. “Appropriate disciplinary measures could be applied,” explained Jade St-Jean, spokesperson for the CISSS.
Email responses
She also confirms that some employees saw fit to respond to the request made in the email. The passwords in question have since been suspended.
“The cybersecurity operational center investigated to ensure there was no security breach and destroyed all emails from the boxes of employees who received it,” added Ms.me St-Jean.
Do you have information to share with us about this story?
Got a scoop that might be of interest to our readers?
Write to us at
[email protected] or call us directly at
1 800-63 SCOOP.
–
–
–
–
–
In addition, a message was sent to some 11,000 CISSS employees to remind them that sharing their username and password is prohibited.
The CISSS-MO judges for the moment that it is a “human error that was made without malicious intent”.
Red light
According to Éric Parent, computer security expert, this is clearly a “very bad practice”.
“Being asked for your password is an automatic red light. This is the basis, the first chapter in a book on computer security,” said the CEO of EVA Technologies.
The main risk is that this list of passwords falls into the wrong hands, either inadvertently or maliciously.
“How would this list be secured? Where would it be stored? Who would have access to it? If it is sent by email, probably several IT employees will have access to the passwords,” noted Mr. Parent.
Not to mention that a password known to a single person makes it possible to associate him with the responsibility for the workstation.
“If more than one person knows a password, we can never again assign an action to a user. If we suspect an employee of having committed a reprehensible act, we will never be able to prove it.”
Manager Karine Plante-Boulay preferred not to comment.
–
:quality(50)/cloudfront-us-east-1.images.arcpublishing.com/semana/KBHRYS7XQFHV3PINW6J52YU7IY.jpg?resize=150%2C150&ssl=1)