It has been 76 days since the Nova Scotia government took down one of their websites after a data breach exposed multiple people’s private information, and on Tuesday the government confirmed that there is still no timeline for when that page will be back online.
“It depends on the results of the testing,” said Brian Taylor, spokesperson for the department of internal services, who are responsible for the Freedom of Information and Protection of Privacy Portal (FOIPOP) that was breached earlier this year.
“Staff received a new revised update on June 14 for another round of testing to begin. This is the cycle of update, test, update, test, that will continue until we are confident that the system is secure and working as it should.”
The FOIPOP website, which was originally breached between March 3 and March 5, was taken down on April 5 when government officials were first informed of the breach by a provincial employee after they realized it was possible to inadvertently access documents through the portal.
It’s an event that sparked the search of a Halifax-area home, the arrest of a 19-year-old man by Halifax Regional Police (HRP) and that has prompted no apologies from Premier Stephen McNeil after he suggested the teen had stolen the information — despite police later determining the youth “did not have intent to commit a criminal offence.”
Deputy minister Jeff Conrad told media in a technical briefing in early April that documents were accessed through a “vulnerability in the system” and not through a hack. They said someone wrote a script of computer code that allowed them to sequentially access “every document available on the portal.”
A worker at the Nova Scotia archives was the first to detect the breach, according to documents obtained under a freedom of information request.
In an email sent on the evening of April 4, the employee — whose name is redacted — attempted to re-enter a URL that linked to a released and redacted document he had previously accessed through the FOIPOP portal, but mistyped the address.
“Rather than going to another redacted released document I ended up seeing an incoming FOIPOP request … It seems that rather than being inside the government system, which in itself is a bit of a shaky practice, the materials are out there seemingly unprotected on the web,” the employee said.
“This isn’t what should be happening. I think you need to do something about this.”
WATCH: N.S. has yet to decide on new contract with company in charge of breached FOIPOP portal
Social insurance numbers, birth dates and personal addresses of multiple people were accessed as a result of the breach, with 7,000 documents inappropriately being downloaded.
Only 250 of the documents contained “highly sensitive” personal information.
The breach was then expanded on April 30, with the province reporting that private information was accessed 11 more times than it previously reported.
No new individuals were impacted in those 11 additional breaches.
Nova Scotia has also remained tight-lipped about the future of its relationship with the company tasked with maintaining the government’s online services — including the FOIPOP system.
The contract between Unisys and the Nova Scotia government is set to expire on June 30, and the department in charge of the government’s internal services says a decision has yet to be made.
The department of internal services has even alluded to the fact that the format of the FOIPOP system — when it returns — may be different.
“As the Minister previously stated, staff are also exploring options around returning the public information online separate from the FOI portal itself,” Taylor said.
Two separate investigations into the government’s handling of its citizens’ privacy are still ongoing.
Catherine Tully, the province’s privacy and information commissioner, has also been informed of the breach and is now launching her own investigation into whether the department of internal services was in compliance with the province’s Freedom of Information and Protection of Privacy Act.
“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.
An investigation by Nova Scotia’s auditor general, Michael Pickup, is also underway. He’s set to perform an audit of the province’s privacy services.
Arab wrote that the two investigations will be supportive and complimentary of one another in a letter requesting the auditor general’s services.
Opposition parties have said that the government has restricted their ability to pose questions to department heads after repeatedly squashing Public Accounts motions.
Premier Stephen McNeil expressed his confidence in how the Public Accounts Committee is performing, pointing to the frequency of its meetings, which he says are the highest in the country.
However, when questioned on why members of his party would defeat opposition motions to call on departments recently steeped in controversy, McNeil indicated he wasn’t aware of such situations.
“I don’t know what departments were stopped,” said McNeil. “So I don’t know the issue around that.”