.Corp Comm Connects

 

Halifax police make arrest after Nova Scotia freedom-of-information site breached
Officials say about 250 of the 7,000 documents inappropriately accessed contained highly sensitive personal information including birthdates, social insurance numbers, addresses and government services’ client information.

TheStar.com
April 11, 2018

Halifax police have arrested a suspect after the Nova Scotia government’s freedom-of-information disclosure web portal was breached.

The government said Wednesday about 7,000 documents were inappropriately accessed between March 3 and March 5. Its admission came nearly a week after the problem was first noticed and the portal was shut down on April 5.

Jeff Conrad, the deputy minister of Internal Services, said the government confirmed the information was inappropriately accessed on Friday and filed a complaint to police on Saturday.

Conrad said thousands of people could have been affected.

Officials said about 250 of the documents contained highly sensitive personal information including birthdates, social insurance numbers, addresses and government services’ client information.

Credit card information was not accessed, they said.

“Earlier this morning investigators with the General Investigation Section and Cyber Crime Unit of the Integrated Criminal Division executed a search warrant at an address in Halifax and took a person into custody in relation to the incident,” Halifax police said in a release.

“The investigation is ongoing and charges have yet to be laid.”

Conrad said the breach was inadvertently found by a provincial employee.

“The employee was involved in doing some research on the site and inadvertently made an entry to a line on the site — made a typing error and identified that they were seeing documents they should not have seen,” Conrad told a technical briefing for reporters.

Officials said the documents were accessed through a “vulnerability in the system” and not through a hack. The person went in through the URL and “sequentially went through every document available on the portal.”

“There’s no question, this was not someone just playing around,” said Conrad. “It was someone who was intentionally after information that was housed on the site.”

Wednesday’s government briefing came a day after the portal’s prolonged closure was raised in the legislature by Progressive Conservative house leader Chris d’Entremont.

Internal Services Minister Patricia Arab gave little information at the time and only described the problem as “an issue” in a later scrum with reporters.

During Wednesday’s briefing, she told reporters that proper protocol was followed and that her department wanted to let the police investigation unfold.

“We are here today because the police have made significant progress in regards to this case,” said Arab.

Government officials said the department’s cybersecurity team is working with the third party service providers, Unisys and CSDC Systems, to secure the site and get it back on line.

They couldn’t say when that might happen.

The government said it was also beginning the process of contacting those affected by the breach.