Teen charged after personal information exposed in Nova Scotia government website breach

Halifax police have detained a person after a breach of the Nova Scotia government's freedom-of-information website that included access to personal information.

Halifax police make arrest after 7,000 documents accessed from FOIPOP website

Internal Services Minister Patricia Arab and deputy minister Jeff Conrad spoke to reporters Wednesday. (CBC)

A 19-year-old Halifax man has been arrested after a breach of the Nova Scotia government's freedom-of-information website that included access to personal information.

More than 7,000 documents were accessed. About four per cent were determined to have "highly sensitive personal information," according to government officials. They said the number of Nova Scotians affected is "in the thousands."

"This is not great news," Internal Services Minister Patricia Arab said Wednesday. 

Sensitive information accessed includes birth dates, social insurance numbers, addresses and government-services client information. Credit card information was not accessed during the breach, according to the government.

Halifax Regional Police said they searched a Halifax address Wednesday morning and took a suspect into custody over the breach. Supt. Jim Perrin said the man faces a charge of unauthorized use of a computer.

"It's a seldom-laid charge," Perrin said at Halifax police headquarters Wednesday afternoon.

Perrin said they seized items in the search, but did not provide details. Police don't expect to charge anyone else, but the arrested man could face more charges. The man was released on a promise to later appear in court.

Supt. Jim Perrin said police rarely charge people with unauthorized use of a computer, but that it was the right offence in this case. (CBC)

While the breach happened between March 3 and 5, government officials said they only became aware of it last Thursday when a government employee, doing research on the site, inadvertently entered incorrect information and was granted access to documents that should not have been publicly available. The government shut the site down the same day.

Breach kept quiet for days

Even once the government learned of the breach, it waited until Wednesday to begin notifying affected people. Arab said they held off notifying people was because police suggested it would help them in their investigation.

But Perrin told reporters police did not make that request. He could not say if advising people would have compromised the investigation. The province's protocols for a privacy breach state it is supposed to inform people as soon as possible, unless otherwise instructed by law enforcement. 

The web portal was set up 15 months ago to handle access-to-information requests made under the province's Freedom of Information and Protection of Privacy Act.

Government officials said someone got in by "exploiting a vulnerability in the system." The person wrote a script allowing them to alter the website's URL, which then granted access to the personal information.

Internal Services found more than 7,000 PDF documents had been downloaded by a "non-authorized user" in early March. They filed a complaint with police on Saturday. 

Arab was tight-lipped earlier this week, refusing to answer questions from opposition politicians and reporters on Tuesday.

On Wednesday, she and deputy minister Jeff Conrad gave a fuller account to journalists. Arab said if the matter hadn't been raised by opposition members and reporters on Tuesday, Wednesday's information update still would have happened.

"We wanted the person responsible for this to not know that we knew that this had happened," Arab told reporters. "We needed to let Halifax Regional Police do their job and couldn't compromise the nature of their investigation."

The government said people's payment information was safe because it is managed by a different system. Officials are notifying affected people as of Wednesday.

'Checks and balances aren't there'

Opposition MLAs said the government should never have waited this long to acknowledge what happened.

"Crisis communications 101 would tell you that you should tell the public that there's a problem, make people know that there's an issue and then deal with it accordingly," said Tory MLA Chris d'Entremont.

"Really what it looked like this government was trying to do here was wait until the House rose before they would actually deal with it."

New Democrat MLA Dave Wilson said it's particularly troubling that it took weeks to discover the breach and that it was discovered by accident.

"That should be concerning to Nova Scotians when we have a third-party vendor housing sensitive information, that the checks and balances aren't there."

Wilson said he doesn't see how the public can have any confidence in the government's security measures.

Privacy commissioner investigating

Catherine Tully, the province's privacy commissioner, was told Monday about the breach. She said Wednesday that she's investigating.

"This investigation will examine whether the Department of Internal Services was in compliance with Nova Scotia's Freedom of Information and Protection of Privacy Act," her office said in a news release. 

The FOIPOP website is managed by third-party service providers Unisys and CSDC Systems. No one from the government would say Wednesday whether there is a clause within the contract with the providers to hold them liable or if there are grounds to cancel the contract.

CSDC said it learned of the "vulnerability" on April 5.

"This is an isolated incident and no other CSDC products or customers have been impacted," the company said in an email. They said they're working on a security patch. 

Conrad said no other personal information was potentially exposed by the breach because the FOIPOP site does not have pathways to other government systems.

Premier Stephen McNeil said the company manages other government websites, but officials refused to identify those websites.

With files from Jean Laroche, Jon Tattrie and Preston Mulligan