Province just sort of stumbles across massive data breach

With minimal effort, it appears a Halifax teenager was able to download 7,000 confidential documents containing personal information on thousands of Nova Scotians—and the government only found out about it by accident.

At a press conference Wednesday, deputy minister of Internal Services Jeff Conrad described how an unauthorized user had—over two days in March—accessed private files held on Nova Scotia’s Freedom of Information web portal.

The hacker, if that word even applies, realized the private PDFs located on the government website could be viewed simply by changing file numbers in the URL. Using a script that sequentially replaced those digits, the individual was able to download the 7,000 documents without anyone noticing.

Those files contain personal information such as the birth dates, social insurance numbers and addresses of thousands of Nova Scotians. Credit card data, which the province says is stored on a separate system, wasn’t compromised.

The breach was only discovered last week when a government employee accidentally stumbled across the flaw.

“The employee was involved in doing some research on the site and inadvertently made an entry to a line on the site—a typing error—and identified that they were seeing documents they should not have seen,” says Conrad.

The whole situation is “bordering on the surreal,” according to one of the province’s top privacy experts.

“Certainly it sounds like it was really bad security,” says David Fraser, a lawyer with McInnes Cooper who specializes in cybersecurity and privacy law. “One would think a provincial government that has an obligation to safeguard sensitive information would be aware of such a trivial way of getting access to data.”

Once it was aware of the flaw, the province quickly took down the web portal and began to triage the situation with its third-party service provider, Unisys. After confirming someone had downloaded the files illegally, the government turned over the investigation to Halifax Regional Police.

Only minutes after the province’s press conference on Wednesday, HRP announced they were questioning a 19-year-old Halifax man about the FOIPOP breach. Three hours later, the police announced the unidentified man had been charged with unauthorized use of a computer.

This is the only breach of this nature on government servers that the province claims to know about. According to Conrad, cybersecurity officials are now working with Unisys to fix the flaws and get the site back online. It’s expected that could take another week, if not longer.

No one from the province would comment on what actions will be taken regarding Unisys’ contract or whether there are grounds to hold the service provider liable for the security flaw.

The Freedom of Information and Protection of Privacy (FOIPOP) web portal launched 15 months ago. At the time, it was praised as a convenient upgrade to the province’s cumbersome FOIPOP process for accessing public information.

But over the last year, there were seemingly few security scans of the site’s operation and Unisys never flagged any unauthorized access.

The government's lack of awareness about its own security blindspots raises questions for Fraser about what other online information is vulnerable.

“Are there enough safeguards in place to not only prevent this sort of things from happening but also to monitor it to find out whether these kinds of things could be happening?” he asks.

The FOIPOP site’s sudden and extended shutdown over the last several days prompted questions earlier this week from both opposition MLAs and members of the media—questions that were largely met with silence.

Internal Services minister Patricia Arab declined to give any information on the situation when confronted Tuesday.

On Wednesday, Arab told reporters her department was only following “proper protocols” and hadn't commented earlier because they didn't want to endanger any police investigations.

“We wanted the person responsible for this to not know that we knew that this had happened,” said Arab. “We needed to let Halifax Regional Police do their job and couldn't compromise the nature of their investigation.”

The province says it will immediately begin notifying those Nova Scotians whose personal data was accessed. Privacy commissioner Catherine Tully has also launched an independent investigation into the breach.