Halifax Regional Centre for Education (HRCE) shut down registration for its Excel program Monday morning due to a “privacy breach,” after users said they could see other people’s personal information.
“At this point it appears the information available included contact information and some medical information,” read a statement on the organization’s website.
Earlier in the day, HRCE tweeted that the issue had been contained and that it was investigating.
The Excel program, which is available in 62 elementary schools, offers before- and after-school care for children.
According to the program’s website, early registration began at 8 a.m. on Monday for the 2018-2019 school year. The shutdown happened at 8:37 a.m.
“Approximately 3,200 parents/guardians would have received an access code to register this morning. Of those with access, 1091 completed their registration form, and 82 had started but did not finish,” read the statement from the organization formerly known as the Halifax Regional School Board.
Doug Hadley, a spokesperson for HRCE, said people reported seeing students’ names, birth dates, and health care information (such as allergies).
Nova Scotia’s information and privacy commissioner has been notified, and people who got registration code were notified of the breach, Hadley said.
HRCE’s servers are not connected to the province’s servers.
“We immediately knew that something was wrong with the system,” said Kevin Dolan, who lives in Dartmouth.
When he and his wife got through to the registration page to sign their two children up, a different student’s name appeared.
As they progressed, he said he saw a list of other people’s family members and caregivers, as well as their phone numbers, full names, and relationships to unnamed students. The list also had a section on potential allergies, Dolan said.
He said he hesitated to put in his credit card information as part of the registration but eventually did because they didn’t want to risk losing their chance for spots in the program.
“I expect a little bit more out of these type of websites,” Dolan said. “Especially where it’s tied back, potentially, to children and relationships to children. That information should be held at the highest security possible.”
Claudia Chender, MLA for Dartmouth South and the Nova Scotia NDP’s education spokesperson, said she came across other people’s personal information while trying to register her three children into the program.
“It’s frustrating to know that their information and mine could have been compromised, but then of course as an elected official, I’m that much more sensitive to the fact that my own personal email, address, telephone number are now potentially compromised,” she said, noting the recent breach of the province’s freedom of information web portal, in which people’s personal information was exposed.
“At this point, what needs to be done is that the government needs to assure the public that their information is safe.”
During an interview with Chender, the provincial government announced that Nova Scotia’s auditor general will audit another recent data breach.
Last Thursday, Nova Scotia Business Inc.’s website was shut down because evidence of unusual activity was found, the Crown corporation said.
MLA Claudia Chender, who serves as the #NovaScotia NDP’s education spokesperson, says she saw people’s personal information when she accessed the system this morning. She says the provincial government needs to assure people that their private info is safe. #NSPoli #DartmouthNS pic.twitter.com/xekLhliMw4— Steve Silva (@SteveCSilva) April 23, 2018
Earlier in the month, Nova Scotia’s government said there was a breach of its access to information web portal.
There is nothing to suggest those two matters are related to HRCE’s matter, Hadley said.
“We don’t have any information to suggest it was a malicious act by anyone. What we think may have been the cause is that this is a system that’s been in place for close to 10 years, that we built ourselves, and it constantly gets upgrades when you upgrade software or you upgrade security measures, and we’re thinking potentially that when we were doing some of these recently, it may have created some type of bug, which inadvertently allowed some information to be made public, which shouldn’t have happened,” he said.