More security failures discovered in Nova Scotia's FOI portal - Action News
Home WebMail Saturday, November 23, 2024, 07:25 AM | Calgary | -12.2°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Nova Scotia

More security failures discovered in Nova Scotia's FOI portal

Continued efforts to restore the provinces freedom-of-information portal have revealed 11 other IP addresses downloaded personal documents from the website that should not have been there in the first place.

11 other IP addresses were used to download a total of 900 documents

A big old stone building.
The government's freedom-of-information portal remains offline, and 11 other instances of people downloading information that should not have been on the site have been identified. (Robert Short/CBC)

Continued efforts to restore Nova Scotia's freedom-of-information portal have revealed 11 other IP addresses wereused to downloadpersonal documents that should not have been on the website.

Sandra Cascadden, the government's chief information officer,said an ongoing review looking for any access to documents that should not have been on the siteshowed that, clustered around March, about 900 documents in total were downloaded through 11 different IP addresses. Those documents are the same as some of the 7,000 known to have been downloaded between March 3 to 5 by a 19-year-old Halifax man.

The man now faces of charge of unauthorized use of a computer.

154people affected

There were 53 people affected by the 900 downloaded documents who had sensitive information accessed; 154 people in total were affected by these 11 cases. They would have already been notified following the discovery of the 7,000-document download. Nevertheless, they will be notified again.

The portal has been offline since mid-April when a government employee discovered the ability to access personal informationthat should never have been made public on the forward-facing website. It was following that discovery that officials learned someone had downloaded the portal's entire contents. That man has told CBC News he did not do itmaliciously, but rather for research.

Since then, government IT staff along with the vendor, Unisys, have been working to determine and repair the problem. Government has also contracted a third party, Mandiant, to do further testing on the website. Cascadden said Mandiantis working with government to ensure that when the website goes back up "it is to our standards."

Cascadden did not address questions about whether the portal was initially set up to meet government standards.

Credit monitoring offered to 323 people

Meanwhile, the government has contracted TransUnion to provide free credit monitoring for 323 people whose sensitive personal information, such as birth dates and social insurance numbers, were accessed through the web portal security failure.

The latest discoveries have been forwarded to Halifax Regional Police as part of their investigation. Cascadden said the new IP addresses accessed as few as14 items and as many as about380. The province's privacy commissioner, Catherine Tully, and Auditor General Michael Pickup are also working on an investigation of their own.

Oppositionmembers want answers

Interim Tory Leader Karla MacFarlane said she wasn't surprised more problems were discovered. She was critical of how the government has handled the matter since it was first discovered.

"They're very unpredictable," she said. "It's very disappointing that they didn't take the opportunity to ensure that the information that was disclosed on individuals was protected."

MacFarlane said she has a constituent whose sensitive information was disclosed and is considering legal action. She said the government needs to be doing more to protect people's information.

NDP Internal Services critic Dave Wilson said the public should be concerned.

"Here we have, obviously, no real security or protection in place to secure private information of Nova Scotians. The government needs to make sure that information is protected."

Wilson said it doesn't seem like the government took the situation seriously enough, especially given the auditor general raised concerns in 2016 about similar software that was eventually used for the freedom-of-information portal.

Contract decisions

The province has multiple contracts with Unisys, one of which is due to expire in June. Cascaddensaid a decision would be made in the coming weeks about the future of that contract, which is for service and support of websites running the AMANDA software.

Cascaddensaid there would be a request for proposals for the part of the contract that deals with providing services.

"Even before this incident started we had the RFP already 80 per cent completed because we already knew that we were going to go to the street."