Officials with Nova Scotia’s Internal Services Department say they have been told there is a “high probability” that 600 files downloaded in a breach of its freedom-of-information web portal last year have been contained.
According to a recent report by the province’s privacy commissioner, the documents were downloaded in a series of 11 breaches from internet addresses assigned to the Atlantic School of Theology (AST). The breach followed another larger breach involving almost 7,000 records containing personal information.
Internal Services deputy minister Jeff Conrad told the legislature’s public accounts committee Wednesday that an investigation by AST confirmed that none of the files found on their equipment were private in nature.
“AST has indicated to us that there is a very high probability that the 600 files downloaded there have been contained,” he said.
“AST also advised us that their investigation has concluded that the laptop used to access the 600 files and the information that was on that laptop has been destroyed.”
He said the department is discussing with the privacy commissioner what additional steps are needed to confirm that containment has taken place.
Sandra Cascadden, the department’s chief information officer, said the department had carried out two sweeps of the internet and found that no documents were released.
“We have committed to do quarterly assessments for the next year just to make sure nothing appears on the internet as well, just to make sure that we are doing our due diligence,” said Cascadden.
WATCH: Police will not charge 19-year-old involved in Nova Scotia data breach, close investigation
Reports by provincial auditor general Michael Pickup and privacy commissioner Catherine Tully said risk management around the web portal was inadequate.
Tully said the breaches were preventable and were caused by a “serious failure of due diligence” in the deployment of a new technology tool.
In an appearance before the committee last month, Tully said she was concerned the AST breach had yet to be contained.
Conrad told reporters the school had given his department an update on its investigation last week during which it disclosed its findings.
“This has just emerged in the last week,” he said.
“At the moment, we have no reason to think that AST wouldn’t be providing us with their best understanding, but we haven’t closed the file in terms of our own work.”
The officials told the committee there is now heightened emphasis when it comes to cybersecurity within the department.
As an example, Cascadden said there are currently over 50 threat-risk assessments (TRAs) and the department is looking for consultants to help its own cybersecurity team get them done.
“We didn’t do 50 TRAs last fiscal year,” she told the committee.