We're really getting a lot of use out of our stock image service with this story.
The government’s cozy
and “highly-dependent” relationship with systems service provider Unisys opened up some big holes in Nova Scotia’s IT security.
So says a damning auditor general report from 2016
conducted on the same database system used for Nova Scotia’s recently breached
Freedom of Information web portal.
The purpose of the audit was to investigate how much control the department
of Internal Services had over its computer system, AMANDA, which stores the private information of thousands of Nova Scotians. The results were less than stellar.
“AMANDA and its supporting systems have settings that do not fully meet the province’s IT security standards,” concludes auditor general Michael Pickup. “We found weak passwords, weak failed login settings and other settings, which should be improved. We also found that departments are not properly managing employees’ AMANDA access permissions.”
The AMANDA software is an off-the-shelf computer system
purchased by Nova Scotia from Ontario’s CSDC Systems. Prior to its implementation in the late ‘90s, the province relied on eight different computer databases for managing licenses, permits and other personal information processed by agencies like Tourism Nova Scotia, the Workers’ Compensation Board and the Department of Community Services.
Support for the system is outsourced to Unisys Canada, who are paid roughly $4 million a year to handle any security issues and monitor AMANDA’s performance.
Unisys director Jeffrey Baum tells The Coast in an email that the company has had a “very positive and collaborative 20-year relationship with the province.”
But that cozy
relationship was one of the biggest red flags for the auditor general.
“The province has a long relationship with Unisys and management believes less oversight is needed than what was defined in the contract,” writes Pickup. “Without proper oversight, the department cannot ensure contract terms are fulfilled to the level required.”
The 2016 audit found Unisys itself was meeting standards, but the department
of Internal Services was lacking on security controls.
Hundreds of old user accounts still had access to unauthorized data, managers failed to take part in required meetings with the contractor and documents sent to the province about AMANDA’s performance went unread.
“Unisys is providing the contractually-required monthly performance reports,” says Pickup. “We found no evidence that the department was reviewing these reports.”
The audit recommends those security policies be tightened and suggests a “value-for-money assessment” should be conducted prior to Unisys’ contract renewal. Internal Services responded by saying it would evaluate the standards and review current policies.
Just two months later, Nova Scotia unveiled its new AMANDA-based Freedom of Information web portal—inadvertantly making available to anyone with rudimentary computer knowledge the personal data belonging to thousands of Nova Scotians.
As was announced earlier this week
, an unauthorized user accessed the site’s private data back in March by using a simple web script to sequentially alter URL numbers. That was all it took to download 7,000 documents containing private data, including phone numbers, birthdates and social insurance numbers.
The province only discovered the system flaw that allowed the breach by accident, after a government employee made a typo and inadvertently stumbled across the web portal’s open backend.
Halifax police have charged a 19-year-old man with unauthorized
use of a computer in connection with the breach. He’s due in court June 12 to face the charges, which could result in a fine of $5,000 and anywhere from six months to 10 years in jail.
In the meantime, Nova Scotia, Unisys and CSDC are working to fix the vulnerabilities in its systems and get the web portal back online.
During an emergency debate held Thursday evening at Province House, Internal Services minister Patricia Arab apologized to Nova Scotians for the breach.
“It’s a terrible thing and we’re now fully investigating to reduce the chances of it happening again,” she said.
The minister came under fire this week for originally suggesting the decision not to disclose the data breach was made under advice from Halifax Regional Police, as it could compromise their investigation.
Police superintendent Jim Perrin refuted that claim, telling reporters
there was “no conversation between us and the province about holding off and not telling anybody.”
During Thursday’s debate, Labour and Advanced Education minister Labi Kousoulis praised Arab’s decision to not inform the public about the breach earlier because it apparently would have tipped off the teenage downloader, who then could have put the information “on Wikileaks.”
“They could have copied the data on a memory stick. They could have emailed it around the world,” said Kousoulis. “We’re not even sure if the individual has done those things.”
Despite acknowledging the severity of the situation, the Liberal government also repeatedly downplayed the breach on Thursday as a minor skirmish in an ongoing cybersecurity battlefield.
“That someone as smart as the people at Facebook—the geniuses that developed such a revolutionary platform—could be hacked seemingly so easily,” said Service Nova Scotia minister Geoff MacLellan. “There’s no amount of money; there’s no way to ensure this will never happen again—just ask Mark Zuckerberg.”
MacLellan was referencing how Facebook knowingly allowed Cambridge Analytica to collect information on millions of its users, which the data mining firm then used to overthrow democracy. In scope and mechanics, it’s a dissimilar situation to an obvious security blind spot allowing a single teenager to download thousands of confidential government documents.
Susan Leblanc, NDP MLA for Dartmouth North, shot back at the insinuation from the government that this was some sophisticated hack by malicious entities.
“It was more like a filing cabinet being left unlocked and then put out on the sidewalk.”
Registered letters to the individuals whose data was compromised by the breach will be mailed out by the middle of next week. The province says it will also cover the costs for credit check services for those who had “highly sensitive” information illegally accessed.
Meanwhile, Nova Scotia’s contract with Unisys is set to expire at the end of June. Spokesperson Brian Taylor says the province will make a decision on whether to renew that contract “in the coming weeks.”