Police have closed the criminal investigation into the Nova Scotia data breach, deciding to not lay charges against the 19-year-old arrested last month in connection with the breach of the province’s Freedom of Information and Privacy (FOIPOP) website.
Police say that their investigation — which began on April 7 when they were informed of the breach — determined there are no grounds to lay charges in the matter.
“This was a high-profile case that potentially impacted many Nova Scotians,” said superintendent Jim Perrin.
“As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offence by accessing the information.”
Patricia Arab, the minister of internal services, says she respected decision in a statement on Monday.
“Halifax Regional Police have determined there are no grounds to follow through with charges,” Arab wrote.
“We will continue to offer supports for those affected by this breach. Our priority from the outset has been containing the data. As we go forward, we will cooperate fully with the investigation of the Nova Scotia Auditor General and the Office of the Information and Privacy Commissioner.”
The province said social insurance numbers, birth dates and personal addresses of multiple people were accessed when the government’s freedom of information web portal was accessed and 7,000 documents were inappropriately downloaded between March 3 and 5.
Some 250 of the documents contain highly sensitive personal information, such as birth dates, addresses and social insurance numbers.
The provincial government says it was informed of the breach on April 5 by a provincial employee after who realized it was possible to inadvertently access documents through the portal.
“The employee was involved in doing some research on the site and inadvertently made an entry to a line on the site — made a typing error and identified that they were seeing documents they should not have seen,” deputy minister Jeff Conrad told a technical briefing.
Officials said the documents were accessed through a “vulnerability in the system” and not through a hack. They said someone wrote a script of computer code that allowed them to sequentially access “every document available on the portal.”
“There’s no question, this was not someone just playing around,” Conrad said.
“It was someone who was intentionally after information that was housed on the site.”
WATCH: FOIPOP website still down as vendor contract nears expiration
This prompted the department of internal services to contact a third-party partner, Unisys, and take the website offline as the breach was investigated.
The province’s FOIPOP website remains offline — 32 days since it was first taken down. The province has said it doesn’t have a timetable for when it will come back online.
The breach was expanded on April 30, with the province reporting that private information was accessed 11 more times than it previously reported.
No new individuals were impacted in those 11 additional breaches.
Police reported on April 11 that they executed a search warrant at an address in Halifax, took a 19-year-old man into custody and seized a number of items.
The teen later told the CBC that his arrest had been carried out by approximately 15 officers.
The decision to charge the 19-year-old has been heavily criticized by the tech community in Canada. Critics say police “overreached” for something that is a common action in the technology field.
A crowdfunding campaign — backed by many in the tech field — has now raised $15,180 for the teen’s legal defence. Privacy lawyer David Fraser was set to lead the teen’s legal team.
Fraser has repeatedly said that the youth had no malicious intent and says he was happy to hear the news on Monday.
“As with most people who have looked into this case, it was clear to me from the beginning that there would be no reasonable prospect of a conviction given that fraudulent intent was required,” Fraser said in a pair of tweets.
“It has been an anxious few weeks and it is good to have this chapter closed. Those of us concerned with privacy and information security can now re-focus on the Q of how sensitive personal information was posted by the gov’t on a publicly available website, without security.”