A 152-day saga came to an end on Wednesday as the Nova Scotia government brought its Freedom of Information and Protection of Privacy (FOIPOP) website back online after it was revealed in April that a data breach had exposed social insurance numbers, birth dates and personal addresses to the general public.
The new website, developed by Red Sky IT Solutions Ltd., launched on Wednesday.
The new website does not currently have the same features its predecessor did.
FOIPOP requests, which are used by journalists, academics, businesses and activists to obtain government information that is normally withheld from the public, will still need be filed the old-fashioned way by pen, paper and snail mail.
Individuals will once again be able to download previously completed FOI requests, although features such as a payment system, are still being developed separately. Nova Scotia’s Department of Internal Services says those services will be rolled out at a later date.
“Only publicly released access to information requests are available on the site. The site does not host any personal information and is not connected to the case management system,” said a press release announcing the launch.
Any releases made since April 1 will soon be available on the site.
With the service at least partially restored, here’s everything we know about the breach, the website and what has happened behind the scenes, detailed through internal emails, briefing documents and reports obtained through FOIPOP requests.
A worker at the Nova Scotia archives was the first to detect the breach at the previous FOIPOP website.
In an email sent on the evening of April 4, the employee attempted to re-enter a URL that linked to a released and redacted document he had previously accessed through the FOIPOP portal but mistyped the address.
“Rather than going to another redacted, released document, I ended up seeing an incoming FOIPOP request … It seems that rather than being inside the government system, which in itself is a bit of a shaky practice, the materials are out there, seemingly unprotected, on the web,” the employee said.
“This isn’t what should be happening. I think you need to do something about this.”
Provincial officials quickly jumped into action, scrambling through April 5 to find a solution.
One official wrote that the government should shut down the website “until we get a grip on things.”
Meddy Stanton, manager of the government’s information access program, quickly dispatched an email to Unisys, the company employed by the province, to maintain the FOIPOP portal, which operates using a system known as AMANDA.
“This is a very serious and unexpected situation,” Stanton wrote in her email.
“There are serious breach and communications implications that must be managed by us and on a tight timeline.”
WATCH: N.S. has yet to decide on new contract with company in charge of breached FOIPOP portal
With no immediate solution available, the government yanked down the website at 8:15 a.m. It’s remained that way ever since.
Though there have been promises to find a short-term solution to the problem, emails indicate that a larger issue was at play in the data breach.
“This will be a short-term solution that limits functionality, as CSDC (the vendor which provided AMANDA to the province) will have to modify their core AMANDA code to permanently fix this security issue,” one employee writes in an email detailing the solution Unisys provided to the province.
At the time, the province said more than 7,000 documents were inappropriately downloaded as a result of the breach, while 369 of the documents contained “highly sensitive” personal information such as social insurance numbers, birth dates and personal addresses.
Of the 369 documents containing highly sensitive personal information, 273 (74 per cent) came from the Department of Community Services, which deals with income assistance, employment support and child and youth services.
Arrest of Halifax teenager
Halifax Regional Police arrested a 19-year-old on April 11 after searching his home, but three weeks later issued a news release saying they would not charge the teen, as “the 19-year-old who was arrested … did not have intent to commit a criminal offence.”
Halifax police said the young man was arrested under a rarely used section of the Criminal Code that prohibits the unauthorized use of a computer with fraudulent intent.
The teen later told CBC that his arrest had been carried out by approximately 15 officers.
The police’s initial decision to charge the 19-year-old drew heavy criticism from the tech community in Canada. Critics say police “overreached” for something that is a common action in the technology field.
Search warrants indicate that a Nova Scotia civil servant told police somebody “hacked” into the province’s freedom of information website, however internal government documents indicate that the province understood the problem to be an issue regarding vulnerability in the AMANDA program and not an attack with malicious intent.
Two separate investigations into the government’s handling of its citizens’ privacy are still ongoing.
Catherine Tully, the province’s privacy and information commissioner, has also been informed of the breach and is now launching her own investigation into whether the Department of Internal Services was in compliance with the province’s Freedom of Information and Protection of Privacy Act.
“The investigation will focus in particular on the adequacy of the security of the system,” wrote Tully in a press release.
An investigation by Nova Scotia auditor general Michael Pickup is also underway. He’s set to perform an audit of the province’s privacy services.