It has been 40 days since the data breach at the freedom of information and privacy website run by the Nova Scotia government, and the province says there is still no timeline to bring the website back online.
“Testing continues on the web portal, with third party testing set to begin soon,” said Brian Taylor, a spokesperson for the Nova Scotia department of internal services, which is in charge of operating the online Freedom of Information and Protection of Privacy (FOIPOP) portal.
The FOIPOP website, which was originally breached between March 3 and March 5, was taken down on April 5 when government officials were first informed of the breach by a provincial employee after they realized it was possible to inadvertently access documents through the portal.
It’s an event that sparked the search of a Halifax-area home, the arrest of a 19-year-old man by Halifax Regional Police (HRP) and that has prompted no apologies from Premier Stephen McNeil after he suggested the teen had stolen the information — despite police later determining the youth “did not have intent to commit a criminal offence.”
The data breach
According to deputy minister Jeff Conrad, the first breach was detected in April after an “employee was involved in doing some research on the site and inadvertently made an entry to a line on the site — made a typing error and identified that they were seeing documents they should not have seen.”
Officials said the documents were accessed through a “vulnerability in the system” and not through a hack. They said someone wrote a script of computer code that allowed them to sequentially access “every document available on the portal.”
However, search warrants indicate that a Nova Scotia civil servant told police somebody “hacked” into the province’s freedom-of-information website.
Social insurance numbers, birth dates and personal addresses of multiple people were accessed as a result of the breach, with 7,000 documents inappropriately being downloaded.
Only 250 of the documents contained “highly sensitive” personal information.
The breach was then expanded on April 30, with the province reporting that private information was accessed 11 more times than it previously reported.
No new individuals were impacted in those 11 additional breaches.
WATCH: Police will not charge 19-year-old involved in Nova Scotia data breach, close investigation
The province says that a timeline for the website coming back online could not be provided, as it is dependent on the ongoing and planned testing.
They did not directly respond to questions about the problems regarding the FOIPOP portal, including whether it was possible for the website to function as they intended to — to secure private information while being able to allow the general public to receive the FOIPOP requests.
Arrest eventually dropped
Halifax Regional Police arrested a 19-year-old on April 11 after searching his home, but three weeks later issued a news release saying they would not charge the teen as “the 19-year-old who was arrested … did not have intent to commit a criminal offence.”
Halifax police said the youth was arrested under a rarely used section of the Criminal Code that prohibits the unauthorized use of a computer with fraudulent intent.
The teen later told the CBC that his arrest had been carried out by approximately 15 officers.
The decision to charge the 19-year-old had been heavily criticized by the tech community in Canada. Critics say police “overreached” for something that is a common action in the technology field.
Two separate investigations into the government’s handling of it’s citizens privacy are still ongoing.
Catherine Tully, the province’s privacy and information commissioner has also been informed of the breach, and is now launching her own investigation into whether the department of internal services was in compliance with province’s Freedom of Information and Protection of Privacy Act.
“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.
An investigation by Nova Scotia’s auditor general, Michael Pickup, is also underway. He’s set to perform an audit of the province’s privacy services.
Arab wrote that the two investigations will be supportive and complementary of one another in a letter requesting the auditor general’s services.