April 30, 2018 5:34 pm

‘Didn’t have all the information’: Expert says new breaches show N.S. jumped the gun on FOIPOP arrest

WATCH: The Nova Scotia government says it has discovered 11 other instances of “unusual activity” and downloads from its Freedom of Information website. As Natasha Pace reports, that comes 25 days after the FOIPOP website was first brought offline.


Nova Scotia’s data breach just got bigger — with the province reporting on Monday that it appears private information was accessed 11 more times than it previously reported — and that’s a big problem, say members of the tech industry.

Story continues below

The Nova Scotia government says that the 11 instances of additional “unusual activity” and downloads from its Freedom of Information and Protection of Privacy (FOIPOP) website have been referred to police as both law enforcement and the government continue to investigate how the private information — including social insurance numbers, birth dates and personal addresses — were accessed.

“No new individuals have been impacted,” said Patricia Arab, Nova Scotia’s internal services minister on Monday.

“As we were going through things with a fine-toothed comb, we found that there were more downloads that took place with the same information.”

READ MORE: More instances of ‘unusual activity’ found on N.S. freedom of information website

Evan d’Entremont, a software engineer and security researcher, says the new breaches are a clear indication the province jumped the gun when it reported the breaches on April 11.

“The best assumption I have is that they have gone through and had to look at everyone of these documents to find out which ones were actually supposed to be public and what wasn’t, and it took them this long to do it,” d’Entremont on Monday.

“It’s pretty clear when [the province] went to the police with the information that caused a teenager’s house to be raided that they didn’t have all the information. They didn’t know what had been taken at that point or how many people accessed it,” he said, referring to the arrest of a 19-year-old linked to the original breach who told the CBC that his arrest had been carried out by approximately 15 officers.

The decision to charge the 19-year-old has been heavily criticized by the tech community in Canada, saying the police “overreached” for something that is a common action in their field.

A crowdfunding campaign — backed by many in the tech field — has now raised $12,865 for the teen’s legal defence which will be headed by privacy lawyer David Fraser.

WATCH: N.S. Opposition ‘strongly considering’ calling for minister’s resignation over information breach

The province says that through the course of its investigation into the breach, it has discovered that “11 additional instances of unusual activity involved the download of almost 900 of the same documents accessed in the breach previously reported on April 11.”

Arab said investigators are not sure if it’s the same man who was arrested in relation to the breach but said the new incidents originated from separate IP addresses — which provide a unique identifiable number corresponding to a computer using the Internet.

The original breach of the website resulted in the government shutting down its FOIPOP portal and the arrest of the 19-year-old. He has since been released on a promise-to-appear and is scheduled to appear in court in June.

Halifax Regional Police Supt. Jim Perrin fields questions at a news conference in Halifax on Wednesday, April 18, 2018.

Andrew Vaughan/The Canadian Press

The teenager now faces the seldom-laid charge of unauthorized use of a computer which carries with it a maximum punishment of 10 years in jail.

Halifax Regional Police told Global News that they were first informed of the 11 additional instances on April 21, nine days before the public was informed on Monday.

Const. Carol MacIsaac, a spokesperson for the police, said that they would not be commenting on possible suspects and noted their investigation is ongoing.

READ MORE: Halifax police make arrest after Nova Scotia FOI website breached, personal information exposed

D’Entremont says that he hopes the new information prompts prosecutors to drop the charges against the 19-year-old.

“That would be the only reasonable thing to do here,” he said.

“What needs to happen is that we take a serious look at how this was allowed to happen.”

As of Monday, the province’s FOIPOP website has been shuttered for 25 days and there’s still no clear timetable for when it will be back online.

“It won’t be back online until all of our security is up and running and we know that its safe to go back online,” Arab said.

New FOIPOP requests must now be submitted by mail and Nova Scotia says that they will not be transferred to the applicant’s online account when the system comes back online.

“Once the system is up an running, the current plan would be that responses that are eligible for the Disclosure Log, regardless of how they were received, will be posted,” a spokesperson for the department of internal services told Global News last week.

WATCH: Halifax Excel program registration shut down because of ‘privacy breach’

The province says it is notifying 53 people who had sensitive personal information accessed, which could include birth dates, social insurance numbers and addresses. The 53 people would have already been impacted by the previously-discovered breach and already notified, so they are being notified again.

“There are multiple ongoing investigations and our main goal is to help support Nova Scotians in keeping their private and personal information secure,” said Patricia Arab, in a news release.

“We’re co-operating with police and will work closely with both the auditor general and the Information and Privacy Commissioner to assist them with their investigations. We want to make this right and we want Nova Scotians to once again have confidence that their information is secure.”

*With files from Natasha Pace and Rebecca Lau

© 2018 Global News, a division of Corus Entertainment Inc.

Report an error


Want to discuss? Please read our Commenting Policy first.