High probability files downloaded in Nova Scotia privacy breach contained

Officials with Nova Scotia’s Internal Services Department say they have been told there is a “high probability” that 600 files downloaded in a breach of its freedom-of-information web portal last year have been contained.

According to a recent report by the province’s privacy commissioner, the documents were downloaded in a series of 11 breaches from internet addresses assigned to the Atlantic School of Theology (AST). The breach followed another larger breach involving almost 7,000 records containing personal information.

Internal Services deputy minister Jeff Conrad told the legislature’s public accounts committee Wednesday that an investigation by AST confirmed that none of the files found on their equipment were private in nature.

“AST has indicated to us that there is a very high probability that the 600 files downloaded there have been contained,” he said.

“AST also advised us that their investigation has concluded that the laptop used to access the 600 files and the information that was on that laptop has been destroyed.”

Tweet This Click to share quote on Twitter: "AST also advised us that their investigation has concluded that the laptop used to access the 600 files and the information that was on that laptop has been destroyed."

READ MORE: Nova Scotia’s ‘failure’ to carry out due diligence on FOIPOP website led to data breach: reports

He said the department is discussing with the privacy commissioner what additional steps are needed to confirm that containment has taken place.

Sandra Cascadden, the department’s chief information officer, said the department had carried out two sweeps of the internet and found that no documents were released.

“We have committed to do quarterly assessments for the next year just to make sure nothing appears on the internet as well, just to make sure that we are doing our due diligence,” said Cascadden.

Tweet This Click to share quote on Twitter: "We have committed to do quarterly assessments for the next year just to make sure nothing appears on the internet as well, just to make sure that we are doing our due diligence," said Cascadden.

WATCH: Police will not charge 19-year-old involved in Nova Scotia data breach, close investigation

1:30 Police will not charge 19-year-old involved in Nova Scotia data breach, close investigation

Reports by provincial auditor general Michael Pickup and privacy commissioner Catherine Tully said risk management around the web portal was inadequate.

Tully said the breaches were preventable and were caused by a “serious failure of due diligence” in the deployment of a new technology tool.

In an appearance before the committee last month, Tully said she was concerned the AST breach had yet to be contained.

READ MORE: Nova Scotia re-launches FOIPOP website after 152 days of being offline

Conrad told reporters the school had given his department an update on its investigation last week during which it disclosed its findings.

“This has just emerged in the last week,” he said.

“At the moment, we have no reason to think that AST wouldn’t be providing us with their best understanding, but we haven’t closed the file in terms of our own work.”

Tweet This Click to share quote on Twitter: "At the moment, we have no reason to think that AST wouldn't be providing us with their best understanding, but we haven't closed the file in terms of our own work."

The officials told the committee there is now heightened emphasis when it comes to cybersecurity within the department.

As an example, Cascadden said there are currently over 50 threat-risk assessments (TRAs) and the department is looking for consultants to help its own cybersecurity team get them done.

“We didn’t do 50 TRAs last fiscal year,” she told the committee.