Privacy and security

Nobody disciplined for Nova Scotia’s largest privacy breach

2 reports into FOI website breach find numerous vulnerabilities and lack of oversight

No one in government will be fired or demoted for the biggest security breach in Nova Scotia history in which the Department of Internal Services inadvertently exposed the private documents of thousands of Nova Scotians.

“We fully recognize the role the government has in this incident,” Minister of Internal Services Patricia Arab said at a news conference Tuesday. She went on to promise nine times that her department will “do better” in respect to privacy.

Arab said she has not offered her resignation to Premier Stephen McNeil, nor will anyone in the department be disciplined.

For five weeks beginning last February, two people downloaded nearly 7,000 unprotected private documents through Nova Scotia’s Freedom of Information Access portal.

After twin eight-month-long investigations, Privacy Commissioner Catherine Tully and Auditor General Michael Pickup released two separate reports Tuesday. The reports show systematic negligence in the department, which skipped the pilot phase before launching its website and still has not located 618 downloaded documents or identified the people whose information was exposed in them. Before the website launched in 2017, the department failed to notice a common vulnerability, as well as 27 other liabilities that would easily cause less security.

“This breach is the largest known breach in the Nova Scotia public sector’s history, and in my opinion, by far the most significant,” Tully said at a news conference Tuesday.

According to Tully’s report, two people downloaded documents including medical information, social insurance numbers and allegations of child abuse through the portal. One was a Halifax teenager. The other was using Wi-Fi at the Atlantic School of Theology and downloaded the entire database.

“There were a few jaw-dropping moments in the investigation,” Tully said. Asking whether or not the website had reasonable security when launched, Tully concluded, “Our finding: emphatically no.”

Auditor General Michael Pickup and Privacy Commissioner Catherine Tully at a news conference on Tuesday.   Matt Stickland

No surprise

Given the website’s lack of oversight, Pickup said the breach was “not in fact surprising.” The department did not pilot the website’s new software, and risk assessment should have been an obvious priority, he found. When Nova Scotia introduced its new website combined with its new cloud-based software, it was the first organization to try this combination in the world.

The direct problem was a flaw in the software coding, but it could have been fixed if detected. As the department introduced the new software, meeting minutes were missing, and there was no project plan, even though the department had delayed the website launch for five months.

The department did not notice the breach until a civil servant encountered it through a fluke.

‘Complete failure’

Arab said the reports show the breach was not the fault of a single person, but opposition MLAs blamed the Liberals.

“This is a complete failure of government,” said Conservative Party Leader Tim Houston in a scrum.

“The buck doesn’t stop with Patricia Arab; the buck stops with Premier McNeil,” said NDP MLA Lisa Roberts.

The department accepts all the recommendations from Tully and Pickup and has developed a security plan in response. The department has paid $85,000 in overtime and other costs to deal with the breach.

Documents still missing

Tully said the department made a shrewd decision to shut down the website last spring and to keep it closed for 152 days. Tully pointed out that the breach occurred within the very department that is responsible for the private information of civil servants. Among its duties, according to its annual accountability report, the Department of Internal Services processed 49,000 travel claims last year and answered 1,500 phone calls from civil servants per day.

Tully said the department should immediately notify individuals whose information was downloaded to a computer that is still unknown. Ten months after the initial breach, the department has yet to locate the 600 documents.

“If government’s privacy experts can’t get privacy right, who can?”