Information commissioner, AG slam McNeil government over privacy 'breach'

CBC

Updated January 15, 2019 at 7:53 a.m.

Nova Scotia's privacy watchdog is taking the McNeil government to task for a "serious failure of due diligence" related to its problem-plagued online freedom-of-information portal, comments that come as the province's auditor general says the government failed to adequately assess and manage the "vulnerabilities" of the system.

The criticism follows nine-month investigations by the offices of both Information and Privacy Commissioner Catherine Tully and Auditor General Michael Pickup into a "breach" of the relatively new online access-to-information request and disclosure system.

More than 7,000 documents were downloaded on March 3, 2018, including several hundred with highly personal information, but the breach wasn't detected until a month later when a government worker inadvertently discovered the weakness in the system and alerted his boss.

Police traced the download back to a Halifax-area family home, raiding the residence and arresting a 19-year-old man. They threatened to charge him with "unauthorized use of a computer," an offence that carried a possible 10-year prison sentence.

Three weeks later, investigators announced they would not be charging the man because he "did not have intent to commit a criminal offence."

Auditor general's report

In a report issued Tuesday, Pickup concluded the government didn't fully assess the risks associated with the venture, nor did it conduct routine security measures before the website's launch.

"The Department of Internal Services did not ensure that the website was secure before using it," Pickup said in a video summary of his report. "For example, the Department of Internal Services did not ensure security assessments were done before the website went live.

"These types of assessments are standard before systems are available to the public and users."

Pickup also expressed concern about the fact the province is storing information outside its own control.

"Implementing something that has never been used before, as well as using it in a cloud, comes with a high degree of inherent risk," Pickup noted in his report. "Use of a cloud-based service means the data stored in it is not protected by the province's corporate network."

The auditor general also noted the government's reliance on its relationship with CSDC, the company that designed the system used by the province to create the portal, noting "regardless of how familiar government is with an individual vendor, we believe it is unreasonable to ever put full responsibility for project management, risk assessment and due diligence on a private-sector partner."

In an admission of guilt, of sorts, the provincial government said in a written response to the auditor general's report that it failed to protect the personal information of hundreds of Nova Scotians.

"This was not due to a single decision or oversight failure by government, but rather a series of decisions, governance issues and design shortfalls within a complex IT environment," Pickup said.

Information commisioner's report

Meanwhile, the provincial privacy commissioner also released a report Tuesday on her investigation, which Tully said included "a few jaw-dropping moments."

"It is astounding," she said of the breaches. "And it took the combination of quite a few people doing a poor job for this to happen."

Tully said a "serious failure of due diligence" when launching the website led to 12 "preventable" breaches between Feb. 27 and April 3, 2018. Those breaches included information such as social insurance numbers, addresses, phone numbers and even medical information and allegations of child abuse, Tully's report said.

She found the Department of Internal Services failed to detect a design flaw in the website "created by a well-known and foreseeable vulnerability."

"Taking the time to diligently assess a tool at all stages of a project is fundamental to ensuring that personal information held by government is respected and protected," she said in the report.

Initially, the freedom-of-information website was expected to be approved and implemented within two and a half months. Although it was launched five months later than planned, "the short time frames created a stressful environment and compromised the quality of system testing," Tully said.

As the department got close to launching the website, staff met with Tully to provide a demonstration, even though minutes of a meeting of senior departmental executives said "there is no possibility to accommodate any change she may request." Tully said during the demonstration, she recommended a security threat and risk assessment be performed, but that wasn't done until a year after the website was launched.

Tully's investigation also highlighted "shortcomings in the project management, security review and privacy impact assessment." They included considering the freedom-of-information website "low risk," failing to do any technical testing, and not recognizing the flaws in how public and private documents were stored. The review also found the privacy impact assessment identified risks and mitigations that were not incorporated into the site.

"One significant and troubling factor is that the technology under investigation was implemented by the group responsible to lead privacy across all government departments," her report says.

As part of her investigation, Tully met with employees who described a "culture of high tolerance for cybersecurity risk" across the provincial government. Employees mentioned receiving angry phone calls from project owners if someone raised a risk concern they weren't prepared to deal with. Another employee said when a concern was raised at a meeting, the vendor mocked the employee and no one intervened.

Tully also found the department did not manage the situation well after the privacy breaches.

Out of the 7,000 records that were downloaded by two people in 12 different privacy breaches, nearly 618 were downloaded to an unknown computer using IP addresses at the Atlantic School of Theology and still haven't been located, she found. She said parties affected by that breach still haven't been notified.

Tully determined the department still doesn't have a "comprehensive, methodical plan to prevent a similar occurrence in the future."

Recommendations

The commissioner's recommendations include:

Stronger leadership when it comes to privacy in the government and more due diligence in the privacy impact assessment process.
Immediate steps to contain the breaches related to the 618 documents downloaded onto an unknown private computer, which has yet to be secured.
Notifying people whose personal information was contained in those 618 documents.
Reviewing internally the incident to understand the causes and prevent future problems.
Conducting an internal review of technology the government uses to look at vulnerabilities and form a plan to reduce cyber vulnerabilities.
Clarify and strengthen the role of the province's Architecture Review Board, which approves and monitors technology standards.

In a statement, the province said it accepts all the recommendations in both reports and has created an action plan to implement the recommendations.

Later Tuesday, Premier Stephen McNeil defended Internal Services Minister Patricia Arab. Tim Houston, the leader of the province's Progressive Conservative party, has called for her to resign or be fired.

"Minister Arab has been working hard on behalf of Nova Scotians to deal with this issue since it arose last year, and one of the reports today noted reasonable steps taken by the department at the time," he said.

"Minister Arab has accepted the recommendations in both reports, and I have full confidence in the minister's commitment to make the necessary improvements to ensure the private information of Nova Scotians is protected."

Yahoo Canada Style
Sophie Grégoire Trudeau is leaning into the unknown for her next chapter: 'I'm OK with the uncertainty'
No question was off limits in Yahoo Canada's candid and emotional conversation with the "Closer Together" author.
a day ago
Sacramento Bee
Ex-teacher had sex with her student on his 8th-grade graduation, California prosecutors say
The former Butte County teacher pleaded no contest Monday to the charges.
7 hours ago
HuffPost
Lara Trump Alarms Critics With 'Frightening' Comment About RNC's Election Plans
"Sounds like a perfect authoritarian election plan to me," fascism expert Ruth Ben-Ghiat commented.
6 hours ago
HuffPost
How Toxic Is Trump? Republican Group's Hidden Camera Reveals Uncomfortable Truth.
The former president's behavior just doesn't fly out in the real world.
2 days ago
People
Ex-Aide Says Melania Trump Will Be Watching 'Every Ounce' of Hush Money Trial — and Looking for 1 Thing
Stephanie Grisham, who served as chief of staff and press secretary to Melania, offered a window into her former boss's thinking as Donald's alleged affairs take center stage in the Manhattan trial
a day ago
HuffPost
Donald Trump Will Hate What Mitt Romney Just Said About The Hush Money Trial
"So far as I know, you don't pay someone $130,000 not to have sex with you," the Utah senator remarked about the ex-president's payments to Stormy Daniels.
a day ago
INSIDER
Where Reena Virk's killers are now almost 30 years on from her murder that inspired 'Under the Bridge'
Hulu's "Under the Bridge" tells the story of the 1997 murder of Canadian teen Reena Virk. Here's where her killers, Warren Glowatski and Kelly Ellard, are now.
12 hours ago
People
'My Drink Tasted Funny': Pregnant Woman's Last Words Revealed After Alleged Fatal Poisoning by Boyfriend
Jade Benning died on her 25th birthday on March 6 after she was rushed to the hospital the week before
a day ago
ABC News
'So appalled': What witnesses told special counsel about Trump's handling of classified info while still president
In the summer of 2019, only hours after an Iranian rocket accidentally exploded at one of Iran's own launch sites, senior U.S. officials met with then-president Donald Trump and shared a sharply detailed, highly classified image of the blast's catastrophic aftermath. Worried that the image becoming public could hurt national security efforts, intelligence officials urged Trump to hold off until more knowledgeable experts were able to weigh in, the sources said.
2 hours ago
The Daily Beast
How Putin’s Whirlwind Bromance Could End in a Kremlin Tragedy
Sputnik/Alexei Nikolsky/Kremlin via ReutersThe Kremlin is reportedly scrambling to find a successor to Ramzan Kadyrov following reports that the Chechen leader has been diagnosed with necrotizing pancreatitis, a terminal illness, according to Russian media reports.Kadyrov, also known as “Putin's attack dog” or “Putin’s soldier” for his loyalty to Russian President Vladimir Putin, has visited Moscow Central Clinical Hospital regularly through the years to undergo procedures. He was allegedly diag
a day ago
The Daily Beast
Trump and His Mar-a-Lago Co-Defendants Switch Tactics
Reuters/Curtis MeansAttorneys for Donald Trump’s co-defendants appeared to switch direction in a motion Tuesday, seemingly arguing that FBI agents weren’t thorough enough in their search of the ex-president’s Mar-a-Lago estate when they retrieved top-secret documents from there in 2022.The abrupt about-face—after over a year of Trump and his allies decrying the search itself as “unconstitutional” and invasive—referred to the fact that federal investigators missed a “hidden room” near Trump’s bed
19 hours ago
People
Kim Kardashian Reveals the Viral SKIMS Nipple Bra Was Modeled After Her Own Breasts
The bra was first released in October 2023
a day ago
Hello!
Prince Louis' birthday photos all have this in common – did you notice?
Prince William and Princess Kate's son, Louis, celebrated his sixth birthday with a new photo - and Kate Middleton has a habit of including the same detail in the annual portrait
13 hours ago
Cosmo
Anitta coordinates her teeny bikini with her… fridge?
Anitta shared a series of pics on IG posing in a teeny tiny green string bikini with yellow trim perfectly coordinated to her Smeg fridge and orange juice.
13 hours ago
People
Florida Man Runs Over 11-Foot Alligator with Truck to Save Neighbor from Attack
"We pulled over and I got out of the car and saw that an alligator had him by the leg," Walter Rudder recalled to a local news outlet about the scary incident
18 hours ago
The Daily Beast
Fox News Anchor Comes Unglued, Berates ‘Dumb’ Liberal Colleague
Fox NewsFox Business Network anchor Charles Payne blew a gasket on Wednesday when a liberal pundit attempted to defend President Joe Biden’s gaffes, calling his on-air colleague’s comments “dumb” and “insulting.”During the Fox News midday panel show Outnumbered, Payne blasted the president for repeating his oft-told false claim that he had previously driven an 18-wheel big rig.“It’s interesting. I saw someone complaining about Donald Trump exaggerating,” Payne groused. “There’s a big difference
4 hours ago
HuffPost
Jesse Watters Self-Owns With Stunningly Clueless Take On Trump Foes
"The level of self-awareness here is in the deep negatives," one commenter wrote.
12 hours ago
People
Claudia Schiffer Shouts Out Kylie Jenner's Vintage Bikini — and Shares Glam Photo Wearing the Same One in the '90s
Schiffer modeled the Chanel bikini on the runway and in the fashion house's ads
4 hours ago
HuffPost
Trump Makes His Final Case To Supreme Court To Avoid Prosecution For His Coup Attempt
How quickly justices rule on his "absolute immunity" claim is as important as how they rule, with the window for a pre-election trial closing fast.
5 hours ago
People
Okla. Man May Face 12-Year Sentence in Turks and Caicos for Traveling with Ammunition: 'Bonehead Mistake'
Tourists Ryan and Valerie Watson were both detained on the island earlier this month after ammunition was found in their carry-on bag at the airport
8 hours ago

Latest Stories