A pair of oversight bodies have slammed the Nova Scotia government and the departments that oversee its information technology (IT) infrastructure, issuing two reports on Tuesday that blamed data breaches on the government’s “poor overall project management” and a “serious failure of due diligence.”
Nova Scotia’s Office of the Information and Privacy Commissioner (OIPC) and Auditor General (AG) released reports on Tuesday that examined a series of privacy breaches that plagued the Freedom of Information and Protection of Privacy (FOIPOP) website in the spring of 2018.
The breaches exposed 7,000 documents containing personal information such as social insurance numbers, personal addresses, child custody documents, medical information and proprietary business information.
The breaches forced the government to pull down the FOIPOP website, used by journalists, academics, politicians, businesses and activists to obtain government information that is normally withheld from the public, on April 5, 2018.
The website was only partially restored 152 days later. The ability to file a freedom of information request removed.
Privacy commissioner says breaches were ‘preventable’
Catherine Tully, the province’s information and privacy commissioner, writes in her report that the “immediate cause of the privacy breaches was a design flaw” in the FOIPOP website.
“The flaw was created by a well known and foreseeable vulnerability that was not detected by the Department of Internal Services … prior to launching the [FOIPOP website],” Tully writes.
She concludes that the breaches were preventable and were caused by a serious “failure of due diligence” by the province when deploying a new technology.
“Taking the time to diligently assess a tool at all stages of a project is fundamental to ensuring that personal information held by government is respected and protected,” Tully writes.
The commissioner questioned why even months after the breach, employees in the department have “erroneous understandings about the nature of the breaches, their root cause and how to prevent them from occurring again.”
“One employee expressed the view during our investigation that the cause of the breaches was individuals using the website in a way that was not intended and maintained the view that the unauthorized downloads were theft,” Tully wrote.
Further issues are highlighted in a reference to Unisys, the company responsible for maintaining the government’s online services, and the supplier of the AMANDA 7 platform that was used to administer applications on the FOIPOP website.
“One employee expressed that her lesson learned was she hoped not to have to work with Unisys again,” Tully wrote.
WATCH: Privacy ombudsman offers rebuke of N.S. premier’s claim to most transparent province in Canada
Of the 7,000 documents accessed in the breach, it was later determined that 369 of the documents contained “highly sensitive” personal information such as social insurance numbers, birth dates and personal addresses.
The commissioner highlights the personal nature of the breach. The complainant, who is unnamed in the report, had reportedly applied for access to her own personal information held by the Department of Community Services. The data included detailed information about the applicant’s information as well as several family members and included social insurance numbers and details of government involvement with the family.
“The complainant described a sense of extreme violation provoked by learning that this highly sensitive personal information was not protected and was breached by an unknown individual. Not knowing the status of who had the documents and what was done with them caused severe anxiety,” Tully writes.
“In addition, this applicant informed our office that while she had received notification of the breach, other individuals mentioned in the documents did not.”
In total, the FOIPOP website was breached at least 12 separate times. The first breach, detected by the government on April 7, resulted in Halifax Regional Police arresting a 19-year-old teen.
Police later decided against laying charges.
“As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offence by accessing the information,” said Superintendent Jim Perrin, at the time.
However, further analysis by the government revealed 11 more breaches of the FOIPOP website.
Tully’s report indicates that the 11 additional breaches originated from IP addresses assigned to the Atlantic School of Theology, with evidence pointing it to be the work of one person.
However, those breaches remain uncontained, with the 619 documents accessed by the individual being downloaded to a personal computer.
Those documents have still not been recovered by the Nova Scotia government and she says the government needs to take further steps to notify those affected by the 11 breaches from Atlantic School of Theology.
Recommendations and fallout
Tully’s report includes six recommendations for the Department of Internal Services:
- Strengthen privacy leadership in government and due diligence in the privacy impact assessment process
- Take immediate steps to contain the 11 breaches from the Atlantic School of Theology
- Take all reasonable steps necessary to notify individuals affected by the 11 breaches from the Atlantic School of Theology
- Conduct an internal review to ensure the Internal Services Department fully understands the causes of these breaches and has identified all reasonable steps needed to prevent future errors
- Conduct an inventory of technology solutions, devices and applications across the government and rate their vulnerabilities while creating a plan to mitigate cybersecurity vulnerabilities
- Clarify and strengthen the role of the Architecture Review Board
All of the commissioner’s recommendations have been accepted by the Nova Scotia government.
Tully concludes her report with a warning and final recommendation: Nova Scotia must modernize its privacy laws.
The province’s FOIPOP ACT has not been updated since it was created 25 years ago and Tully highlights that she has urged Premier Stephen McNeil to modernize the legislation since 2017.
But with the government’s failure to implement any of her recommendations around modernizing the act, Tully has published a letter calling for action.
“With each privacy breach that occurs, the need to modernize our privacy laws becomes more acute,” Tully writes in the letter.
“Once again, I recommend that it is time, indeed past time, to complete a thorough update of our access and privacy laws.”
WATCH: McNeil defends right to ignore a request from privacy commissioner
Auditor General slams government
In his report released on Tuesday, AG Michael Pickup says the breach was a “very clear example” of what can happen when government doesn’t protect the personal information entrusted to it.
Pickup says the inappropriate disclosure of personal information wasn’t surprising given the extent of the failures uncovered, including poor overall project management.
“Risks had not been appropriately assessed at the start of the projects and even some risks that had been identified did not have plans in place to manage the risk,” Pickup writes.
The AG harshly criticizes the government’s approach to privacy assessments, with the Department of Internal Services referencing its “lengthy relationship” with the vendor as factors in the risk assessment that ultimately determined the risk was “low.”
The government also failed to complete a threat risk assessment, determining that they would do it at a later date as they implemented an upgrade on the AMANDA software.
“Implementing a project without mitigating the risks of not having completed a threat risk assessment, leaves systems vulnerable,” Pickup concludes. “Risks around data integrity and unauthorized disclosure of personal information would be unknown.”
Pickup’s report has five recommendations for the government.
- The Department of Internal Services should conduct comprehensive risk assessments for IT projects prior to implementation.
- The Department of Internal Services should clearly define the scope of responsibilities of the Architecture Review Board
- The Department of Internal Services should establish criteria to ensure adequate project management expertise is in place for all projects.
- The Department of Internal Services should establish a process to ensure and document vendor compliance with contract terms at all stages of a contract.
- The Department of Internal Services should ensure contracts with vendors include service expectations and financial obligations.
The government says in a statement issued on Tuesday that they have accepted “all recommendations” from both reports.
“From day one, our top concern has been containing the information, learning from this incident and applying those learnings to all our processes,” said Minister of Internal Services Patricia Arab.
“I appreciate the work that went into these reports. All of the information and recommendations provided will help strengthen our work going forward and better protect the information of Nova Scotians.”
The government has also developed an action plan to respond to the recommendations.
Arab said at a press conference on Tuesday that she has faith that her department will implement the necessary changes.
Despite a call from the Opposition for Arab to resign, the minister said on Tuesday that she had no plans to step down.
With files from The Canadian Press