More security failures discovered in Nova Scotia's FOI portal

Continued efforts to restore the province’s freedom-of-information portal have revealed 11 other IP addresses downloaded personal documents from the website that should not have been there in the first place.

11 other IP addresses were used to download a total of 900 documents

The government's freedom-of-information portal remains offline, and 11 other instances of people downloading information that should not have been on the site have been identified. (Robert Short/CBC)

Continued efforts to restore Nova Scotia's freedom-of-information portal have revealed 11 other IP addresses were used to download personal documents that should not have been on the website.

Sandra Cascadden, the government's chief information officer, said an ongoing review looking for any access to documents that should not have been on the site showed that, clustered around March, about 900 documents in total were downloaded through 11 different IP addresses. Those documents are the same as some of the 7,000 known to have been downloaded between March 3 to 5 by a 19-year-old Halifax man.

The man now faces of charge of unauthorized use of a computer.

154 people affected

There were 53 people affected by the 900 downloaded documents who had sensitive information accessed; 154 people in total were affected by these 11 cases. They would have already been notified following the discovery of the 7,000-document download. Nevertheless, they will be notified again.

The portal has been offline since mid-April when a government employee discovered the ability to access personal information that should never have been made public on the forward-facing website. It was following that discovery that officials learned someone had downloaded the portal's entire contents. That man has told CBC News he did not do it maliciously, but rather for research.

Since then, government IT staff along with the vendor, Unisys, have been working to determine and repair the problem. Government has also contracted a third party, Mandiant, to do further testing on the website. Cascadden said Mandiant is working with government to ensure that when the website goes back up "it is to our standards."

Cascadden did not address questions about whether the portal was initially set up to meet government standards.

Credit monitoring offered to 323 people

Meanwhile, the government has contracted TransUnion to provide free credit monitoring for 323 people whose sensitive personal information, such as birth dates and social insurance numbers, were accessed through the web portal security failure.

The latest discoveries have been forwarded to Halifax Regional Police as part of their investigation. Cascadden said the new IP addresses accessed as few as 14 items and as many as about 380. The province's privacy commissioner, Catherine Tully, and Auditor General Michael Pickup are also working on an investigation of their own.

Opposition members want answers

Interim Tory Leader Karla MacFarlane said she wasn't surprised more problems were discovered. She was critical of how the government has handled the matter since it was first discovered.

"They're very unpredictable," she said. "It's very disappointing that they didn't take the opportunity to ensure that the information that was disclosed on individuals was protected."

MacFarlane said she has a constituent whose sensitive information was disclosed and is considering legal action. She said the government needs to be doing more to protect people's information.

NDP Internal Services critic Dave Wilson said the public should be concerned.

"Here we have, obviously, no real security or protection in place to secure private information of Nova Scotians. The government needs to make sure that information is protected."

Wilson said it doesn't seem like the government took the situation seriously enough, especially given the auditor general raised concerns in 2016 about similar software that was eventually used for the freedom-of-information portal.

Contract decisions

The province has multiple contracts with Unisys, one of which is due to expire in June. Cascadden said a decision would be made in the coming weeks about the future of that contract, which is for service and support of websites running the AMANDA software.

Cascadden said there would be a request for proposals for the part of the contract that deals with providing services.

"Even before this incident started we had the RFP already 80 per cent completed because we already knew that we were going to go to the street."

About the Author

Michael Gorman

Reporter

Michael Gorman is a reporter in Nova Scotia who covers Province House, rural communities, and everything in between. Contact him with story ideas at michael.gorman@cbc.ca