Freedom of Information
Auditor general, privacy commissioner to report on Access to Information breach
Auditor general and privacy commissioner reports will detail what went wrong with the government website
caption
According to the auditor general and privacy commissioner, a lack of oversight and improper risk management led to the breach.Nova Scotians will find out Tuesday morning what went wrong during 2018’s Freedom of Information website breach.
A breach was first reported on April 4, 2018, when a Nova Scotia Archives employee attempted to gain access to a document he had previously viewed. The employee mistyped the document’s URL, leading him to a page for an incoming Freedom of Information request — something he wasn’t supposed to be able to access.
The website was shut down shortly after. It was reopened on Sept. 3, 2018 and is being managed by a new company.
However, the new FOI portal is not fully functional, as only old requests can be accessed. New requests can’t filed electronically, but can still be filed by paper.
At the time the breach was first reported, the province said more than 7,000 documents were downloaded, but that most were already publicly available. Around 250 documents contained sensitive information, including the birth dates, addresses and social insurance numbers, resulting in 700 people who had their personal data exposed.
On April 11, Halifax Regional Police arrested a 19-year-old man in connection to the breach. The arrest resulted in public backlash from people who felt the police misused their power in the arrest. The teen was arrested under an uncommonly used section of the Criminal Code that prohibits the unauthorised use of computers.
The teen claimed he thought the documents he downloaded were public information. Three weeks after his arrest, HRP released a statement saying they would not charge him.
A civil servant originally told police the website was “hacked” by exploiting a vulnerability in the website’s security. Internal documents accessed by search warrant state the information was accessible because of a vulnerability in the program used to manage the website.
The auditor general and privacy commissioner will both release reports on the breach Tuesday morning and hold a joint press conference to discuss their findings at 12:30 p.m.
