Nova Scotia privacy website at centre of data breach to be brought back online ‘in the coming weeks’
A Nova Scotia website that has remained offline for more than 130 days after being shut down by the provincial government is set to be brought back online “in the coming weeks,” according to a spokesperson for Nova Scotia’s Department of Internal Services.
However, the features of the Freedom of Information and Protection of Privacy Portal (FOIPOP) website will be limited compared to what was available when it was taken down.
Brian Taylor told Global News that people will once again be able to download publicly available documents from the retooled FOIPOP website — which is being developed by Red Sky IT Solution Ltd.
“We will then look to add other features in the following months,” Taylor said in an email, adding that the payment portion of the website is being developed separately and is still going through “rigorous testing and validation.”
The FOIPOP website, which was originally breached between March 3 and March 5, was taken down on April 5 when officials with the Department of Internal Services — which is responsible for the FOIPOP website — was first informed by a provincial employee that it was possible to inadvertently access documents through the portal.
At the time, the province said more than 7,000 documents were inappropriately downloaded as a result of the breach, while 369 of the documents contained “highly sensitive” personal information such as social insurance numbers, birth dates and personal addresses.
As of Monday, the FOIPOP website has been offline for 137 days.
Deputy minister Jeff Conrad told media in a technical briefing in early April that documents were accessed through a “vulnerability in the system” and not through a hack. They said someone wrote a script of computer code that made it possible to sequentially access “every document available on the portal.”
A worker at the Nova Scotia archives was the first to detect the breach, according to documents obtained under a freedom-of-information request.
In an email sent on the evening of April 4, the employee — whose name is redacted — attempted to re-enter a URL that linked to a released and redacted document he had previously accessed through the FOIPOP portal, but mistyped the address.
“Rather than going to another redacted released document, I ended up seeing an incoming FOIPOP request… It seems that rather than being inside the government system, which in itself is a bit of a shaky practice, the materials are out there seemingly unprotected on the web,” the employee said.
“This isn’t what should be happening. I think you need to do something about this.”
Police reported on April 11 that they executed a search warrant at an address in Halifax, took a 19-year-old man into custody and seized a number of items — only to drop the charges in May.
Police say that their investigation determined there were no grounds to lay charges in the matter.
The breach was then expanded on April 30, with the province reporting that private information was accessed 11 more times than it previously reported.
No new individuals were impacted in those 11 additional breaches.
WATCH: Police will not charge 19-year-old involved in Nova Scotia data breach, close investigation
Contract renewed with conditions
The company in charge of the portal — Unisys — has been offered a one-year extension at a cost of $120,000.
The new contract will separate control of the public disclosure portion of the site, and Unisys will no longer run that aspect of the portal.
“One year, hopefully, will give us the time for the [FOIPOP] site to see how we’re going to proceed,” said Minister of Internal Services Patricia Arab.
“The back end, which is the part that was renewed, allows our [FOIPOP] staff to continue to process requests in a more efficient way. Instead of manually, they have the ability, the software, to collect the information, redact if necessary and then get it out to the requestor.”
Two separate investigations into the government’s handling of its citizens’ privacy are still ongoing.
Catherine Tully, the province’s privacy and information commissioner, has also been informed of the breach and is now launching her own investigation into whether the Department of Internal Services was in compliance with the province’s Freedom of Information and Protection of Privacy Act.
“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.
An investigation by Nova Scotia’s auditor general, Michael Pickup, is also underway. He’s set to perform an audit of the province’s privacy services.
Arab wrote in a letter requesting the auditor general’s services saying that the two investigations will be supportive and complementary of one another.
— With files from Sarah Ritchie and The Canadian Press
© 2018 Global News, a division of Corus Entertainment Inc.