April 23, 2018 3:36 pm
Updated: May 15, 2018 3:01 pm

Nova Scotia’s auditor general to perform audit after province’s data breach

File - Nova Scotia Auditor General Michael Pickup listens to a question during a news conference regarding his latest report in Halifax on Wednesday, June 8, 2016.

Andrew Vaughan/The Canadian Press
A A

Another government entity is set to examine the data breach on a Nova Scotia government website.

Nova Scotia’s auditor general is set to perform an audit of the province’s privacy services after a data breach at the government’s freedom of information (FOIPOP) portal exposed the personal information of 700 people, including social insurance numbers, birth dates and personal address.

Story continues below

The province’s minister of internal service, who is in charge of the FOIPOP website, says she officially requested “audit assistance” from the office of Nova Scotia Auditor General Michael Pickup on Friday.

“I believe that our efforts would greatly benefit from the support of you and your Office,” Patricia Arab wrote in her letter to the Auditor General.

“Your findings will help us to ensure that we are doing what we can to safeguard the privacy of Nova Scotians.”

Arab adds that Pickup’s audit will be “supportive and complementary” of a separate investigation launched by Catherine Tully, the province’s information and privacy commissioner.

READ MORE: Stephen McNeil rejects N.S. Opposition’s call for minister’s resignation over data breach

Tully’s investigation will examine whether the department of internal services was in compliance with province’s Freedom of Information and Protection of Privacy Act.

“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.

Website still offline

Meanwhile, as of Monday, the FOIPOP website still remains unavailable and the government says there is no clear timeline on when it will be back up and running.

The province told Global News on Wednesday that the first patch for the website’s security issues was received by Unisys on April 13. It’s now undergoing testing before being passed on to the province, which will conduct its own testing.

An additional third party will also review the updated system.

“There is currently no set timeline attached to the service going back online for the public, as this will depend on the results of this process,” said Brian Taylor, a spokesperson for Nova Scotia’s internal services department.

An update was not available as of Monday.

WATCH: Halifax police make arrest after Nova Scotia FOI website breached, personal information exposed

19-year-old still facing charge

A 19-year-old teen is facing one count of unauthorized access of a computer after police say he was involved in a “data breach” of the government’s FOIPOP portal.

The charge, which the Halifax Regional Police says is “seldom laid,” carries a maximum punishment of 10 years in prison.

The government said the data breach — which occurred between March 3 and 5 — resulted in more than 7,000 documents  being accessed and downloaded by a “non-authorized person.”

The province says that 250 of the documents contain highly sensitive personal information such as birth dates, addresses and social insurance numbers.

So far, investigators have neither filed an information before the Halifax provincial court, nor listed the young man’s name on the docket for a June 12 cour appearance, though the 19-year-old has been served with notices requiring him to appear.

Evan d’Entremont, an IT security professional, has written on his blog that the breach would’ve been fairly easy to carry out.

D’Entremont alleges that accessing the data would have been as simple as changing the document ID number at the end of a URL.

David Fraser, a leading technology and privacy lawyer with McInnes Cooper, says he is now assisting the teen in his legal defence.

“I am hopeful that as the file is transferred to the crown prosecutors, they will make the call to withdraw the charges that – I think – never should have been laid in the first place,” Fraser told Global News.

A crowdfunding campaign has been launched with the goal of creating a legal defence fund for the teen. Technology experts — including the board of the Atlantic Security Conference — have already contributed to the campaign.

READ MORE: Halifax Excel program registration shut down because of ‘privacy breach’

Apology

Opposition parties have called for Arab’s resignation over the lack of security on the FOIPOP site, though it was swiftly rejected by Premier Stephen McNeil, who defended her performance last week.

Arab has apologized multiple times that Nova Scotians information was compromised.

“As Minister of Internal Services, I take this breach of privacy very seriously,” Arab wrote in her letter to the Auditor General.

“My department, together with our private sector delivery partners and other non-government resources, are investigating the cause of the breach.”

With files from the Canadian Press

© 2018 Global News, a division of Corus Entertainment Inc.

Report an error

Comments

Want to discuss? Please read our Commenting Policy first.

Global News