The incident happened in April but was only publicly reported Tuesday by the provincial chief electoral officer. Greg Essensa said the data on the drives wasn't encrypted, but was in a format that could only be accessed by proprietary provincial software or by a highly skilled programmer using commercial software.
"I'm deeply disturbed," said Ontario privacy commissioner Ann Cavoukian.
It's "the largest data breach that has occurred in the province," from either a public agency or a private sector business. The risk, she added, is someone could access personal information and steal peoples' identities.
It's not merely a black eye for the province. It's also an embarrassment because Cavoukain is known around the world as a privacy advocate.
"One of the reasons I was so disturbed is the data on millions of people was not encrypted," she added.
Elections Ontario isn't exactly clear what's on the drives, or whether the drives were stolen or are merely missing.
Essena told reporters the two drives have names, addresses, gender, birth dates and "any other personal information updates provided to Elections Ontario" by roughly half of people on the voters list last fall, and possibly, whether they voted. What's not on the drives are social insurance numbers, health card numbers, drivers licence information, credit card or banking information.
But after several months of investigating it still isn't sure what names were on the drives. It believes they covered 20 to 25 of the 49 electoral districts being worked on by staff at the time.
Even forensic experts hired by the department can't figure out which ridings were on the drives.
The department has done a "rigorous" search for the drive, Essensa said, and a full investigation by a private law firm and a forensics security firm, an investigation still ongoing. It's also been reported to the Ontario Provincial Police.
Meanwhile, he's advising all Ontarians to watch for "potential unusual activity" regarding any transactions with the province, banks, utilities and retailers.
An obviously frustrated Cavoukian said she has issued several orders to provincial civil servants that if data is to be transferred from a provincial computer to a portable device either it has to be de-personalized or encrypted.
However, for some reason neither happened in this instance at Elections Ontario.
A chastened Essensa told reporters that the department's policies "were not followed" and couldn't explain why.
However, he tried to suggest that the odds of the data being misused is low.
"If you were to put these keys into your computer now there's no [file] extension that comes on the files. You would not be able to identify exactly what software you would need to utilize them."
"There is no evidence that copies of personal information on two USB keys have been improperly accessed," he added, but out of "an abundance of caution" is telling the public now.
The USB drives had been to transfer data to laptops in a temporarily leased building where Elections Ontario was updating the voter registry. Laptops used by staff didn't have Internet access to the government's servers.
Staff were told to lock up the drives when they weren't in use.
Two civil servants who had responsibility for the drives are no longer with Elections Ontario, the chief elections officer said. Once the investigations are finished other actions may be taken, he added.