Saturday marks the 100th day since the Nova Scotia government took down one of its websites after the provincial government discovered a data breach had exposed multiple people’s private information — including Social insurance numbers, birth dates and personal addresses — to the general public.
On Friday the government said that it has no update on the freedom of Information and Protection of Privacy Portal (FOIPOP) “at this time.”
The FOIPOP website, which was originally breached between March 3 and March 5, was taken down on April 5 when officials with the internal services department — which is responsible for the FOIPOP website — were first informed of the breach by a provincial employee that it was possible to inadvertently access documents through the portal.
It’s an event that sparked the search of a Halifax-area home, the arrest of a 19-year-old man by Halifax Regional Police (HRP) and that has prompted no apologies from Premier Stephen McNeil after he suggested the teen had stolen the information — despite police later determining the youth “did not have intent to commit a criminal offence.”
WATCH: Breached N.S. government website to receive changes to ‘core’ code to be fixed
Deputy minister Jeff Conrad told media in a technical briefing in early April that documents were accessed through a “vulnerability in the system” and not through a hack. They said someone wrote a script of computer code that made it possible to sequentially access “every document available on the portal.”
A worker at the Nova Scotia archives was the first to detect the breach, according to documents obtained under a freedom of information request.
In an email sent on the evening of April 4, the employee — whose name is redacted — attempted to re-enter a URL that linked to a released and redacted document he had previously accessed through the FOIPOP portal, but mistyped the address.
“Rather than going to another redacted released document I ended up seeing an incoming FOIPOP request. … It seems that rather than being inside the government system, which in itself is a bit of a shaky practice, the materials are out there seemingly unprotected on the web,” the employee said.
“This isn’t what should be happening. I think you need to do something about this.”
Roughly 7,000 documents were inappropriately downloaded as a result of the breach, while only 250 of the documents contained “highly sensitive” personal information.
The breach was then expanded on April 30, with the province reporting that private information was accessed 11 more times than it previously reported.
No new individuals were impacted in those 11 additional breaches.
Contract renewed with conditions
The company in charge of the portal — Unisys — has been offered a one-year extension at a cost of $120,000.
The new contract will separate control of the public disclosure portion of the site, and Unisys will no longer run that aspect of the portal.
“We didn’t feel that it was an appropriate partnering,” said Internal Services Minister Patricia Arab at the end of June.
“So we’re looking to have something along the lines of our Open Data website.”
That website is run by Socrata. The province says it will sole-source a contract to run the public disclosure portion of the FOIPOP site but will not say whether Socrata is going to be tapped for that work.
“One year, hopefully, will give us the time for the (FOIPOP) site to see how we’re going to proceed,” Arab said.
“The back end, which is the part that was renewed, allows our (FOIPOP) staff to continue to process requests in a more efficient way. Instead of manually, they have the ability, the software, to collect the information, redact if necessary and then get it out to the requestor.”
The province says Unisys and a third party are still testing the electronic filing portion of the site and there is no timeline for it to be back online. There are no timelines set out in the new contract, either.
“Now that we’re looking at a new way to release public information, I hope to get that up as soon as possible and I hope to have an update on how it will be moving forward in the next week or so,” Arab said.
WATCH: Opposition demands answers on FOI website
Two separate investigations into the government’s handling of its citizens’ privacy are still ongoing.
Catherine Tully, the province’s privacy and information commissioner, has also been informed of the breach and is now launching her own investigation into whether the department of internal services was in compliance with the province’s Freedom of Information and Protection of Privacy Act.
“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.
An investigation by Nova Scotia’s auditor general, Michael Pickup, is also underway. He’s set to perform an audit of the province’s privacy services.
Arab wrote that the two investigations will be supportive and complementary of one another in a letter requesting the auditor general’s services.
— With files from Sarah Ritchie and The Canadian Press