Nova Scotia has yet to decide on new contract with company in charge of breached FOIPOP portal
Nova Scotia is remaining tight-lipped about the future of its relationship with the company tasked with maintaining the government’s online services, including a provincial website that has remained offline for the past 55 days.
The contract between Unisys and the Nova Scotia government is set to expire on June 30, and the department in charge of the government’s internal services says a decision has yet to be made.
“A decision will be made before that time,” Brian Taylor, a spokesperson for the department of internal services, wrote in an email.
This is despite the ongoing issues around the province’s Freedom of Information and Privacy (FOIPOP) Portal, which is used to request personal information as well as internal government documents and data.
The website has been offline since April 5, when the government first detected a data breach which had allowed the release of social insurance numbers, birth dates and personal addresses of multiple people.
The contracts in question involve a program created and sold by Ontario’s CSDC Sytems known as AMANDA, which is used to “manage the processing of business licensing, permits, registration, certificates, rebates and collections.”
Most of the province’s departments use or operate on an AMANDA system, including Agriculture, Community Services, Education and Early Childhood Development and Service Nova Scotia.
The program was adopted back in 1999 to centralize the province’s data storage and remove the need for eight separate databases, according to an auditor general’s report released in 2016.
The same report indicates the province pays Unisys roughly $4 million a year to handle security issues and technical services for the province — though it’s likely to be more since the adoption of the FOIPOP portal, which operates on an updated version of the program, known as AMANDA 7.
A pair of contracts, obtained through a freedom of information request, and dated March 29, 2016, and Dec. 19, 2016, respectively, detail the costs associated with the FOIPOP portal.
The contract, which is signed by Unisys and the department of internal services, which operates the FOIPOP portal, indicates that the introduction of the FOIPOP portal cost an additional $13,500 a month, or $162,000 a year.
WATCH: FOIPOP website still down as vendor contract nears expiration
As Global News reported last week, the issues with the AMANDA system that forced the FOIPOP portal to be taken offline require extensive changes in the program’s core code before it would able to be brought back online and function as intended.
Internal emails, also obtained under a freedom of information request, show that Unisys was tasked with finding a solution that would allow the FOI website to be put back online.
“This will be a short-term solution that limits functionality as CSDC (vendor) will have to modify their core AMANDA code to permanently fix this security issue,” one employee writes in an email detailing the solution provided to the province by Unisys.
The changes have now been delivered to the province but must still undergo rigorous testing before they are implemented — meaning that the province still has no timeline for when the FOIPOP website may come back online.
Despite the extensive changes, Taylor says that the province has not incurred any additional costs associated with the website being fixed.
“Neither Unisys nor CSDC has charged the province for any work associated with the changes to the AMANDA 7 FOI solution,” Taylor wrote in an email.
Deputy minister Jeff Conrad told media in a technical briefing in early April that documents were accessed through a “vulnerability in the system” and not through a hack. They said someone wrote a script of computer code that allowed them to sequentially access “every document available on the portal.”
Social insurance numbers, birth dates and personal addresses of multiple people were accessed as a result of the breach, with 7,000 documents inappropriately being downloaded.
Only 250 of the documents contained “highly sensitive” personal information.
The breach was then expanded on April 30, with the province reporting that private information was accessed 11 more times than it previously reported.
No new individuals were impacted in those 11 additional breaches.
Halifax Regional Police arrested a 19-year-old on April 11 after searching his home, but three weeks later issued a news release saying they would not charge the teen, as “the 19-year-old who was arrested … did not have intent to commit a criminal offence.”
Halifax police said the youth was arrested under a rarely used section of the Criminal Code that prohibits the unauthorized use of a computer with fraudulent intent.
The teen later told the CBC that his arrest had been carried out by approximately 15 officers.
The decision to charge the 19-year-old had been heavily criticized by the tech community in Canada. Critics say police “overreached” for something that is a common action in the technology field.
Search warrants indicate that a Nova Scotia civil servant told police somebody “hacked” into the province’s freedom-of-information website. This is despite information in the internal government documents indicating that the province understood the problem to be an issue and vulnerability with the AMANDA program and not by malicious intent.
Taylor says the government was following its protocols when reporting the breach to police.
“The department’s top priorities were first to try to contain the data, then work to inform and support those affected. The department reported the breach to police in an effort to contain and retrieve the information,” he wrote.
Two separate investigations into the government’s handling of its citizens’ privacy are still ongoing.
Catherine Tully, the province’s privacy and information commissioner, has also been informed of the breach and is now launching her own investigation into whether the department of internal services was in compliance with the province’s Freedom of Information and Protection of Privacy Act.
“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.
An investigation by Nova Scotia’s auditor general, Michael Pickup, is also underway. He’s set to perform an audit of the province’s privacy services.
Arab wrote that the two investigations will be supportive and complimentary of one another in a letter requesting the auditor general’s services.
© 2018 Global News, a division of Corus Entertainment Inc.