Halifax police make arrest in breach of N.S. freedom-of-information website
Published Wednesday, April 11, 2018 1:20PM ADT Last Updated Thursday, April 12, 2018 7:55AM ADT
Halifax police have charged a 19-year-old Halifax man following a breach of Nova Scotia's freedom-of-information web portal -- a problem that went unnoticed until a provincial employee made a typing error, government officials confirmed Wednesday.
Police Supt. Jim Perrin said the suspect is facing a charge of unauthorized use of a computer and was released on a promise to appear in court at a later date.
"It's a seldom-laid charge," Perrin told a news conference at police headquarters, adding that police had seized computers as the result of a search earlier in the day.
In all, about 7,000 documents were inappropriately accessed between March 3 and March 5, Internal Services Minister Patricia Arab said Wednesday.
"This is not great news," she said.
The admission came nearly a week after the problem was first noticed and the portal was shut down on April 5.
Deputy minister Jeff Conrad said the government filed a complaint with police the next day.
He confirmed that thousands of people could have been affected.
Officials said about 250 of the documents contained highly sensitive personal information including birthdates, social insurance numbers, addresses and government services' client information. Credit card information was not accessed, they said.
Conrad said the breach was detected by a provincial employee, but it was a fluke.
"The employee was involved in doing some research on the site and inadvertently made an entry to a line on the site -- made a typing error and identified that they were seeing documents they should not have seen," Conrad told a technical briefing.
Officials said the documents were accessed through a "vulnerability in the system" and not through a hack. They said someone wrote a script of computer code that allowed them to sequentially access "every document available on the portal."
"There's no question, this was not someone just playing around," said Conrad. "It was someone who was intentionally after information that was housed on the site."
The government briefing on Wednesday came a day after the portal's prolonged closure was raised in the legislature by Progressive Conservative house leader Chris d'Entremont.
At the time, Arab offered little information, and later described the problem as "an issue" when talking with reporters outside the legislature.
During Wednesday's briefing, she said the proper protocol was followed, saying her department wanted to let the police investigation unfold.
"We are here today because the police have made significant progress in regards to this case," she said.
Arab defended the department's decision not to inform the public immediately.
"We wanted the person responsible for this to not know that we knew that this had happened," she said. "We needed to let Halifax Regional Police do their job and couldn't compromise the nature of their investigation."
She also said the department decided to wait, based on police advice.
However, Perrin said that wasn't the case.
"There was no conversation between us and the province about holding off and not telling anybody," he said.
Catherine Tully, Nova Scotia's information and privacy commissioner, has launched an investigation to determine the adequacy of security and whether Arab's department was in compliance with the province's privacy law.
D'Entremont said the government's answers were unacceptable, adding that the 250 people whose sensitive information was compromised should have been informed by now.
He later noted the discrepancy around the government's explanation for holding off.
"We know there probably would have been no problem in letting the public know there's been a breach and we're investigating it," said d'Entremont. "Instead, they've said they waited for the police to do their investigation. I think they got things a little backwards and I think they are not being quite forthcoming the way they need to be."
In fact, the government's privacy breach protocol says that "generally the notification should happen as soon as possible." It adds that in cases where police are involved, they should be consulted to determine if a notification would interfere with an investigation.
The government said it was beginning the process of contacting those affected by the breach.
New Democrat Dave Wilson said it was alarming that breach was found inadvertently.
"This wasn't found out because of checks and balances and security ... We heard today that this was found by fluke."
Government officials said the department's cybersecurity team is working with third-party service providers Unisys and CSDC Systems to secure the site and get it back online.
Premier Stephen McNeil defended the government's handling of the security breach, saying Arab had his full confidence.