Still no timeline for fix of website at centre of N.S. data breach 40 days later

The Nova Scotia FOIPOP website has been shutdown. Jeremy Keefe / Global News

It has been 40 days since the data breach at the freedom of information and privacy website run by the Nova Scotia government, and the province says there is still no timeline to bring the website back online.

“Testing continues on the web portal, with third party testing set to begin soon,” said Brian Taylor, a spokesperson for the Nova Scotia department of internal services, which is in charge of operating the online Freedom of Information and Protection of Privacy (FOIPOP) portal.

The FOIPOP website, which was originally breached between March 3 and March 5, was taken down on April 5 when government officials were first informed of the breach by a provincial employee after they realized it was possible to inadvertently access documents through the portal.

It’s an event that sparked the search of a Halifax-area home, the arrest of a 19-year-old man by Halifax Regional Police (HRP) and that has prompted no apologies from Premier Stephen McNeil after he suggested the teen had stolen the information — despite police later determining the youth “did not have intent to commit a criminal offence.”

Story continues below advertisement

READ MORE: Search warrants released in breach of Nova Scotia freedom-of-information website

The data breach

According to deputy minister Jeff Conrad, the first breach was detected in April after an “employee was involved in doing some research on the site and inadvertently made an entry to a line on the site — made a typing error and identified that they were seeing documents they should not have seen.”

Officials said the documents were accessed through a “vulnerability in the system” and not through a hack. They said someone wrote a script of computer code that allowed them to sequentially access “every document available on the portal.”

However, search warrants indicate that a Nova Scotia civil servant told police somebody “hacked” into the province’s freedom-of-information website.

Social insurance numbers, birth dates and personal addresses of multiple people were accessed as a result of the breach, with 7,000 documents inappropriately being downloaded.

Only 250 of the documents contained “highly sensitive” personal information.

The breach was then expanded on April 30, with the province reporting that private information was accessed 11 more times than it previously reported.

No new individuals were impacted in those 11 additional breaches.

Story continues below advertisement

WATCH: Police will not charge 19-year-old involved in Nova Scotia data breach, close investigation

Click to play video: 'Police will not charge 19-year-old involved in Nova Scotia data breach, close investigation' Police will not charge 19-year-old involved in Nova Scotia data breach, close investigation
Police will not charge 19-year-old involved in Nova Scotia data breach, close investigation – May 7, 2018

The province says that a timeline for the website coming back online could not be provided, as it is dependent on the ongoing and planned testing.

They did not directly respond to questions about the problems regarding the FOIPOP portal, including whether it was possible for the website to function as they intended to — to secure private information while being able to allow the general public to receive the FOIPOP requests.

“As [internal services minister Patricia Arab] previously stated, staff are also exploring options around returning the public information online separate from the FOI portal itself,” wrote
Story continues below advertisement

Arrest eventually dropped

Halifax Regional Police arrested a 19-year-old on April 11 after searching his home, but three weeks later issued a news release saying they would not charge the teen as “the 19-year-old who was arrested … did not have intent to commit a criminal offence.”

Halifax police said the youth was arrested under a rarely used section of the Criminal Code that prohibits the unauthorized use of a computer with fraudulent intent.

The teen later told the CBC that his arrest had been carried out by approximately 15 officers.

The decision to charge the 19-year-old had been heavily criticized by the tech community in Canada. Critics say police “overreached” for something that is a common action in the technology field.

READ MORE: Nova Scotia’s auditor general to perform audit after province’s data breach

Ongoing investigations

Two separate investigations into the government’s handling of it’s citizens privacy are still ongoing.

Catherine Tully, the province’s privacy and information commissioner has also been informed of the breach, and is now launching her own investigation into whether the department of internal services was in compliance with province’s Freedom of Information and Protection of Privacy Act.

Story continues below advertisement

“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.

An investigation by Nova Scotia’s auditor general, Michael Pickup, is also underway. He’s set to perform an audit of the province’s privacy services.

Arab wrote that the two investigations will be supportive and complementary of one another in a letter requesting the auditor general’s services.

Sponsored content