A Nova Scotia government website at the centre of a data breach that resulted in the release of social insurance numbers, birth dates and personal addresses of multiple people will need extensive changes to its core code before it is able to be brought back online and function as intended, documents released under a freedom of information request show.
The information is gleaned from internal government emails and briefing notes written on April 5, the day the data breach was discovered by the province’s internal services department.
Headed by minister Patricia Arab and deputy minister Jeff Conrad, the department is in charge of administering the breached website, the Nova Scotia Freedom of Information and Privacy (FOIPOP) Portal, which is used to request personal information as well as internal government documents and data.
Requests for an on-camera interview with either Arab or Conrad were declined.
“As there is nothing further to add at this time, we are respectfully declining your interview request today,” Brian Taylor, a spokesperson for the department said in an email.
The emails released by the government confirm the timeline previously provided by the province — but provide more information on what exactly led to the report of the breach.
A worker at the Nova Scotia archives was the first to detect the breach. In an email sent on the evening of April 4, the employee attempted to re-enter a URL that linked to a released and redacted document he had previously accessed through the FOIPOP portal, but mistyped the address.
“Rather than going to another redacted released document I ended up seeing an incoming FOIPOP request … It seems that rather than being inside the government system, which in itself is a bit of a shaky practice, the materials are out there seemingly unprotected on the web,” the employee said.
“This isn’t what should be happening. I think you need to do something about this.”
Government officials, recognizing the seriousness of the issue, appear to have quickly jumped into action — scrambling throughout April 5 to try and find a solution.
One official wrote that they should shut the website down “until we get a grip on things.”
Meddy Stanton, the manager of the government’s information access program, quickly dispatched an email to Unisys, the company employed by the province to maintain the FOIPOP portal — which operates off a system known as AMANDA.
“This is a very serious and unexpected situation,” Stanton wrote in her email.
“There are serious breach and communications implications that must be managed by us, and on a tight timeline.”
With no immediate solution, the government yanked down the website at 8:15 a.m. It’s remained that way since then, displaying a message reading “Service Unavailable.”
At approximately 9:48 a.m., Stanton sent out another email, updating government officials about the issue and reporting that they’d sent one of their employees to work with Unisys on a solution.
“This is a very unexpected and shocking development. When the portal was being prepared for launch a year and a half ago, we were told that the only way a document can become public is if the Administrator actively selects the ‘public portal’ status field. All other documents in the system are supposed to be protected,” she wrote.
WATCH: More instances of ‘unusual activity’ found on N.S. freedom of information website
But a solution appears to not have been immediately available. Both Unisys and CSDC, the company who created and sold the AMANDA system, were dispatched to find a workaround.
Unisys was tasked with finding a solution that would allow the FOI website to be put back online.
“This will be a short term solution that limits functionality as CSDC (vendor) will have to modify their core AMANDA code to permanently fix this security issue,” one employee writes in an email detailing the solution provided to the province by Unisys.
But its now 48 days later and no permanent solution seems to be in sight. The FOIPOP website remains offline and the internal services department says there is still no timeline for when it may be revived.
Taylor, a spokesperson for internal services says that CSDC is scheduled to deliver their revised code sometime this week — but still need to undergo a “rigorous series of testing” by the province, vendor and third parties.
That still does not guarantee we’ll get the same system that was previously in place.
“As the Minister previously stated, staff are also exploring options around returning the public information online separate from the FOI portal itself.”
The information also raises questions about the information provided to police by government officials when they reported the data breach.
Halifax Regional Police arrested a 19-year-old on April 11 after searching his home, but three weeks later issued a news release saying they would not charge the teen, as “the 19-year-old who was arrested … did not have intent to commit a criminal offence.”
Halifax police said the youth was arrested under a rarely used section of the Criminal Code that prohibits the unauthorized use of a computer with fraudulent intent.
The teen later told the CBC that his arrest had been carried out by approximately 15 officers.
The decision to charge the 19-year-old had been heavily criticized by the tech community in Canada. Critics say police “overreached” for something that is a common action in the technology field.
Search warrants indicate that a Nova Scotia civil servant told police somebody “hacked” into the province’s freedom-of-information website. This is despite information in the internal government documents indicating that the province understood the problem to be an issue and vulnerability with the AMANDA program and not by malicious intent.
WATCH: FOIPOP website still down as vendor contract nears expiration
Deputy minister Jeff Conrad told media in a technical briefing in early April that documents were accessed through a “vulnerability in the system” and not through a hack. They said someone wrote a script of computer code that allowed them to sequentially access “every document available on the portal.”
Social insurance numbers, birth dates and personal addresses of multiple people were accessed as a result of the breach, with 7,000 documents inappropriately being downloaded.
Only 250 of the documents contained “highly sensitive” personal information.
The breach was then expanded on April 30, with the province reporting that private information was accessed 11 more times than it previously reported.
No new individuals were impacted in those 11 additional breaches.
Two separate investigations into the government’s handling of its citizens’ privacy are still ongoing.
Catherine Tully, the province’s privacy and information commissioner, has also been informed of the breach and is now launching her own investigation into whether the department of internal services was in compliance with the province’s Freedom of Information and Protection of Privacy Act.
“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.
An investigation by Nova Scotia’s auditor general, Michael Pickup, is also underway. He’s set to perform an audit of the province’s privacy services.
Arab wrote that the two investigations will be supportive and complementary of one another in a letter requesting the auditor general’s services.