The government of Nova Scotia says the province’s freedom of information website was breached in March and the personal information of some people — including social insurance numbers, birth dates and personal addresses — has been accessed.
The government says it is in the process of reaching out to people whose data may have been accessed and informing them of the breach. However, the province says that no financial information is at risk.
Questions about a possible data breach began circulating earlier this week after the government-run website was taken offline for more than a week due to “unscheduled maintenance.”
On Wednesday, Nova Scotia’s Minister of Internal Affairs, Patricia Arab, apologized, saying she couldn’t inform media due to an ongoing investigation by Halifax Regional Police (HRP) into the breach.
However, in a press conference on Wednesday afternoon, police superintendent Jim Perrin seemed to put Arab’s statement in question.
“There was no conversation between us and the province about holding off and not telling anybody,” Perrin said.
Arab says that a breach is unacceptable and the government must do better.
“HRP must do their job and we will do ours,” she said.
The opposition parties swiftly shot back at the provincial government, criticizing them for what they say is unnecessary secrecy
“The Liberal government intentionally withheld information from the public about this data breach by refusing to answer journalists’ questions about this issue yesterday,” Dave Wilson, the NDP critic for internal services, said in a statement issued on Wednesday.
“Individuals whose personal information had been compromised should have been notified immediately.”
Notified of a data breach
The province says they were informed on April 5 by a provincial employee after they were able to inadvertently access documents through the portal.
“The employee was involved in doing some research on the site and inadvertently made an entry to a line on the site – made a typing error and identified that they were seeing documents they should not have seen,” Deputy minister Jeff Conrad told a technical briefing.
Officials said the documents were accessed through a “vulnerability in the system” and not through a hack. They said someone wrote a script of computer code that allowed them to sequentially access “every document available on the portal.”
“There’s no question, this was not someone just playing around,” said Conrad.
This prompted the department of internal services to contact their third-party partner, Unisys, and take the website offline as they investigated.
On April 6, Unisys informed the province that between March 3 and March 5 more than 7,000 documents were accessed and downloaded by a “non-authorized person.”
The province says that 250 of the documents contain highly sensitive personal information such as birth dates, addresses and social insurance numbers.
WATCH: Nova Scotia’s new FOIPOP website welcome but ‘systemic problems’ persist
The province’s freedom of information portal was developed to serve as a gateway to request documents and information under Nova Scotia’s freedom of information legislation.
Reporters, businesses, researchers and politicians are able to file requests with a $5 dollar application fee.
When they do so they receive an acknowledgment letter which normally includes information like the applicant’s name, personal address and email address. According to the province these were some of the documents accessed during the breach.
Decision letters as well as completed access to information requests were also reportedly accessed.
Multiple investigations underway
Nearly 24 hours later, the province informed Halifax police of the breach, who began their investigation.
Police say that on Wednesday morning, they executed a search warrant at an address in Halifax, took a 19-year-old man into custody and seized a number of items.
Perrin said that the man has been charged with unauthorized use of a computer, and has since been released on a promise to appear in court at a later date.
“It’s a seldom laid charge,” said Perrin, adding that police are still analyzing the computers seized during their raid and more charges could be laid.
If convicted of unauthorized use of a computer, the man could face a maximum of 10 years in prison.
Catherine Tully, the province’s privacy and information commissioner has also been informed of the breach, and is now launching her own investigation into whether the department of internal services was in compliance with province’s Freedom of Information and Protection of Privacy Act.
“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.
People worried that their information may have been exposed they are encouraged to call 902-424-3843 or email firstname.lastname@example.org