Sunday marked exactly 150 days since the Nova Scotia government took one of its websites offline as the result of a data breach that exposed social insurance numbers, birthdates and personal addresses to the general public.
In the more than five months that have passed, there have been few publicly visible changes to the province’s Freedom of Information and Protection of Privacy (FOIPOP) website.
The portal remains offline, displaying a “system unavailable” message to anyone who tries to access it. FOIPOP requests — used by journalists, academics, businesses and activists to obtain government information that is normally withheld from the public — have had to be filed the old-fashioned way by pen, paper and snail mail.
Answers about the status of the website have been limited at best, with government officials stating they would not bring the website back online until they were sure all information could be secured. Late last month, officials confirmed the FOIPOP portal would be brought back online “in the coming weeks.”
Here’s everything we know about the breach, the website and what has happened behind the scenes, detailed through internal emails, briefing documents and reports obtained through FOIPOP requests.
A worker at the Nova Scotia archives was the first to detect the breach. In an email sent on the evening of April 4, the employee attempted to re-enter a URL that linked to a released and redacted document he had previously accessed through the FOIPOP portal but mistyped the address.
“Rather than going to another redacted, released document, I ended up seeing an incoming FOIPOP request … It seems that rather than being inside the government system, which in itself is a bit of a shaky practice, the materials are out there, seemingly unprotected, on the web,” the employee said.
Provincial officials quickly jumped into action, scrambling through April 5 to find a solution.
One official wrote that they should shut down the website “until we get a grip on things.”
WATCH: Breached N.S. government website to receive changes to ‘core’ code to be fixed
Meddy Stanton, manager of the government’s information access program, quickly dispatched an email to Unisys, the company employed by the province to maintain the FOIPOP portal, which operates using a system known as AMANDA.
“This is a very serious and unexpected situation,” Stanton wrote in her email.
“There are serious breach and communications implications that must be managed by us and on a tight timeline.”
With no immediate solution available, the government yanked down the website at 8:15 a.m. It’s remained that way ever since.
Though there have been promises to find a short-term solution to the problem, emails indicate that a larger issue was at play in the data breach.
“This will be a short-term solution that limits functionality, as CSDC (the vendor which provided AMANDA to the province) will have to modify their core AMANDA code to permanently fix this security issue,” one employee writes in an email detailing the solution Unisys provided to the province.
At the time, the province said more than 7,000 documents were inappropriately downloaded as a result of the breach, while 369 of the documents contained “highly sensitive” personal information such as social insurance numbers, birthdates and personal addresses.
Of the 369 documents containing highly sensitive personal information, 273 (74 per cent) came from the Department of Community Services, which deals with income assistance, employment support and child and youth services.
Arrest of Halifax teenager
Halifax Regional Police arrested a 19-year-old on April 11 after searching his home, but three weeks later issued a news release saying they would not charge the teen, as “the 19-year-old who was arrested … did not have intent to commit a criminal offence.”
Halifax police said the young man was arrested under a rarely used section of the Criminal Code that prohibits the unauthorized use of a computer with fraudulent intent.
The teen later told CBC that his arrest had been carried out by approximately 15 officers.
The police’s initial decision to charge the 19-year-old drew heavy criticism from the tech community in Canada. Critics say police “overreached” for something that is a common action in the technology field.
Search warrants indicate that a Nova Scotia civil servant told police somebody “hacked” into the province’s freedom of information website, however internal government documents indicate that the province understood the problem to be an issue regarding vulnerability in the AMANDA program and not an attack with malicious intent.
WATCH: Police will not charge 19-year-old involved in Nova Scotia data breach, close investigation
Unisys contract renewed with conditions
Unisys, the company in charge of the portal, has since been offered a one-year contract extension at a cost of $120,000.
The new contract will separate control of the public disclosure portion of the site, and Unisys will no longer run that aspect of the portal.
Officials have told Global News the new FOIPOP website is being developed by Red Sky IT Solutions Ltd.
It will have limited features compared to what was previously available before the portal was taken down.
Individuals will once again be able to download publicly available documents, with features such as a payment system being developed separately and rolled out at a later date.
Two separate investigations into the government’s handling of its citizens’ privacy are still ongoing.
Catherine Tully, the province’s privacy and information commissioner, has also been informed of the breach and is now launching her own investigation into whether the Department of Internal Services was in compliance with the province’s Freedom of Information and Protection of Privacy Act.
“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.
An investigation by Nova Scotia auditor general Michael Pickup is also underway. He’s set to perform an audit of the province’s privacy services.