Nova Scotia’s business development agency has revealed that its website contained the personal information of multiple people while it was infected with malware and several attempts were made to inappropriately access the data in April, contradicting what the Crown corporation has previously told Global News.
Shawn Hirtle, director of communications and public affairs for Nova Scotia Business Inc. (NSBI), said on Sept. 12 in Halifax that there was no evidence found to show that any personal information was successfully accessed, and the malware files went unnoticed on the website as early as 2012.
“While we did see that someone was attempting to access data through our system, the safeguards within the website itself stopped that from happening, so we feel good about that fact,” he said.
The website was shut down on April 19 because spam-filled cached web pages appearing to be of the website were found redirecting visitors to porn websites, he said. It was relaunched malware-free the next month.
Hirtle previously said there wasn’t any personal information stored on the website. He said this month that he was mistaken.
Malware first installed as early as 2012
The 2,351 files with personal information on the website date back to 2016. Each file contained different amounts of personal information, including names, IP addresses, and phone numbers. Twenty files included information on people’s dietary requirements.
The information was collected through the website’s contact form, which has sections for the user to identify their first and last names, company, title, email address, phone number, and website, among other information.
The malware, described as a “PHP Spy” by Hirtle, was contained in two files from an unknown third party. The corporation then put the files on its website sometime between 2012 and 2016 where it stores photos and images for its storytelling section.
The website used the WordPress content management system before switching to Drupal’s in 2016, and those files remained in the transition.
Hirtle said he first found the cached pages during the week the website was taken down.
“Someone was able to access this PHP file, exploit it,” he said.
“Our research showed us that there was some suspicious activity, three IP addresses originating out of the United States, Hong Kong, and Russia, certainly doing something with our website.”
When asked if the corporation believes the files were put on its website purposefully, Hirtle said, “There’s really no way for us to know.”
He said he wanted to stress that the malware was dormant up until April.
“Why was it not noticed earlier?” a Global News journalist asked Hirtle.
“It’s a good question,” Hirtle responded.
“Any answer to that?” the journalist asked.
“No,” Hirtle said.
WATCH: FBI encouraging everyone in the world to reset their router as it might be infected with malware
No further investigation planned
Hirtle also said that an investigation to figure out why the files went unnoticed for up to six years until they were used in the break-in attempts is not in the works.
“They can’t even say how long it’s been there, so that says to me that there’s no monitoring in place. Nobody’s looking at these systems to make sure they’re secure,” Evan d’Entremont, an information security specialist, said on Wednesday.
He said it doesn’t appear to have been a sophisticated attack, and where the malware came from doesn’t matter to him much.
“What they probably should be doing is a more proactive response where they’re able to stop this kind of thing from happening to begin with,” d’Entremont said in an interview on Sept. 12.
Google’s cached pages are based on how a site appears at a specific time, so whatever content appears in the cached version should have appeared on the site in question. However, Hirtle said NSBI’s website didn’t contain the content observed in the cached pages on Google.
A review into the malware and the attempts to get the personal information was conducted by the corporation’s IT team and third-party website experts. The review found that the attempts, which were quantified as “a few,” using the malware to access the personal files, dated back as early April 8, Hirtle said.
The exact details about how the files ended up on the website, including the person or people responsible, are not being pursued further, he said.
“Anything that exists for that amount of time leads to the questions about what can we do in terms of tracking these things and identifying any time malware is existing on any one of our sites,” Geoff MacLellan, the provincial minister responsible for NSBI, said on Sept. 13.
He added that the government always wants to improve security and it takes every step it can to do so.
“They have measures in place and protocols,” MacLellan, said, referencing NSBI.
“If they have done their diligence on this, and they’re looking for communications to their IT officials and they deem this to not be a threat, then I’ve got to trust that they’re doing the right thing.”
Nur Zincir-Heywood, a Dalhousie University computer science professor, said earlier that day that this kind of malware can be dangerous because it can collect information on the computer that it hacked into.
She said a best practice is to analyze what happened that led to an attack. One way to prevent attacks from happening again is to have regular audits, both the internal and the external varieties, she said, using the analogy of a child learning to walk.
“We have to keep checking it because this system is going to fall and, as parents, we will raise the child up and make sure the same fall will not happen again, but another fall can happen,” Zincir-Heywood said.