Information breach fallout offers multiple choices
Multiple-choice seems the fitting form to test the most recent allegations of duplicity and incompetence levelled at the Nova Scotia government.
From among the following statements, please identify the egregious failure. The government’s freedom of information/ protection of privacy web portal is demonstrably insecure. Once breached and personal information exposed, the government hid that from Nova Scotians, including those at risk. The breach was only discovered by luck. Or finally, given a week to get its story straight, the government didn’t.
An ‘all-the-above’ choice is too obvious. The good news is there’s no wrong answer, but that’s the bad news, too.
For more than a week now, visitors to the province’s online freedom of information, protection of privacy web portal have been greeted by an ugly “system unavailable” message.
Tory House Leader and Argyle- Barrington MLA Chris d’Entremont started asking about the failure last week and was under-informed by Internal Services Minister Patricia Arab, who initially said only that there was an “issue” with the site.
Last Wednesday the government fessed up. By exploiting a vulnerability on the site, someone had gained access to about 7,000 barely protected files, some of which contained such personal data as names, addresses, social insurance numbers, and birthdates of people who have dealings with the province.
Oops.
Halifax police followed the digital tracks and charged a 19year old kid with the unusual offence of unauthorized use of a computer. That’s pretty much all they had, given that making the government look stupid is not a crime, which is good news for cabinet ministers and columnists.
The government kept the security breach a secret for a week after its discovery – a full month after it had occurred – so as not to impede the work of the police and at the request of the cops, or so it claimed.
Not so, according to the police, who didn’t get the government’s talking point and didn’t seem to care a whit who the government told about its porous web security.
Oops, again.
By last Thursday, with the imagined gag order from the police no longer an available excuse, Premier Stephen McNeil and Ms. Arab were saying the breach was kept quiet so the perpetrator wasn’t tipped off, thus containing further distribution of the sensitive personal information.
That story is in a leaky bucket too. The perpetrator already had a month to distribute the information and when the site he had breached was replaced by the stark “system unavailable” message anyone with the savvy to breach its security would know the jig was up.
In addition, the government waited five days to inform its privacy commissioner of the breach.
Questioned in the House last Thursday, the minister allowed that the government’s priority was to “contain the situation,” although she quickly corrected herself by adding “contain the information.”
A slip of the lip in the heat of debate can be a misstatement or a tell. Was the goal to contain the damage from the information breach, or contain the political damage? Either objective can be deemed a miss, at this point.
The government maintains that it followed all its protocols but the protocol states that those whose information was compromised should be informed as soon as possible.
The government took a different course and has only now begun the process of contacting individuals whose personal information was accessed and downloaded.
This despite the admission from the minister that the “gravity for those impacted is beyond comprehension.” It is, in fact, fully comprehensible by any victim of identity theft
Ms. Arab’s assurance that her department is working with other departments to track people whose information was disclosed doesn’t offer a big confidence boost either. Anytime more than one government department gets involved, wires get crossed.