Another government entity is set to examine the data breach on a Nova Scotia government website.
Nova Scotia’s auditor general is set to perform an audit of the province’s privacy services after a data breach at the government’s freedom of information (FOIPOP) portal exposed the personal information of 700 people, including social insurance numbers, birth dates and personal address.
The province’s minister of internal service, who is in charge of the FOIPOP website, says she officially requested “audit assistance” from the office of Nova Scotia Auditor General Michael Pickup on Friday.
“I believe that our efforts would greatly benefit from the support of you and your Office,” Patricia Arab wrote in her letter to the Auditor General.
“Your findings will help us to ensure that we are doing what we can to safeguard the privacy of Nova Scotians.”
Arab adds that Pickup’s audit will be “supportive and complementary” of a separate investigation launched by Catherine Tully, the province’s information and privacy commissioner.
Tully’s investigation will examine whether the department of internal services was in compliance with province’s Freedom of Information and Protection of Privacy Act.
“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.
Website still offline
Meanwhile, as of Monday, the FOIPOP website still remains unavailable and the government says there is no clear timeline on when it will be back up and running.
The province told Global News on Wednesday that the first patch for the website’s security issues was received by Unisys on April 13. It’s now undergoing testing before being passed on to the province, which will conduct its own testing.
An additional third party will also review the updated system.
“There is currently no set timeline attached to the service going back online for the public, as this will depend on the results of this process,” said Brian Taylor, a spokesperson for Nova Scotia’s internal services department.
An update was not available as of Monday.
WATCH: Halifax police make arrest after Nova Scotia FOI website breached, personal information exposed
19-year-old still facing charge
A 19-year-old teen is facing one count of unauthorized access of a computer after police say he was involved in a “data breach” of the government’s FOIPOP portal.
The charge, which the Halifax Regional Police says is “seldom laid,” carries a maximum punishment of 10 years in prison.
The government said the data breach — which occurred between March 3 and 5 — resulted in more than 7,000 documents being accessed and downloaded by a “non-authorized person.”
The province says that 250 of the documents contain highly sensitive personal information such as birth dates, addresses and social insurance numbers.
So far, investigators have neither filed an information before the Halifax provincial court, nor listed the young man’s name on the docket for a June 12 cour appearance, though the 19-year-old has been served with notices requiring him to appear.
Evan d’Entremont, an IT security professional, has written on his blog that the breach would’ve been fairly easy to carry out.
D’Entremont alleges that accessing the data would have been as simple as changing the document ID number at the end of a URL.
David Fraser, a leading technology and privacy lawyer with McInnes Cooper, says he is now assisting the teen in his legal defence.
“I am hopeful that as the file is transferred to the crown prosecutors, they will make the call to withdraw the charges that – I think – never should have been laid in the first place,” Fraser told Global News.
A crowdfunding campaign has been launched with the goal of creating a legal defence fund for the teen. Technology experts — including the board of the Atlantic Security Conference — have already contributed to the campaign.
Opposition parties have called for Arab’s resignation over the lack of security on the FOIPOP site, though it was swiftly rejected by Premier Stephen McNeil, who defended her performance last week.
Arab has apologized multiple times that Nova Scotians information was compromised.
“As Minister of Internal Services, I take this breach of privacy very seriously,” Arab wrote in her letter to the Auditor General.
“My department, together with our private sector delivery partners and other non-government resources, are investigating the cause of the breach.”
With files from the Canadian Press