Breached site was ‘high risk’ for some
A website containing intimate, sometimes agonizing personal and family details — from child custody records to medical and income assistance files — was inexplicably assessed as a “low risk” by the government entrusted with the protection of that sensitive information.
Nova Scotia’s Auditor General Michael Pickup was recently at a total loss to explain to the legislature’s public accounts committee how the government could possibly come up with that risk assessment for its Freedom of Information Access (FOIA) site.
Pickup’s incredulity grew when he explained the site was the first-ever attempt to run a software application called Accesspro on a platform known as Amanda 7.
That alone should have elevated the risk level and necessitated the kind of security testing the site was not subjected to until after it was breached last spring. By then, thousands of records, including personal files, had been downloaded by users who exploited a gaping hole in the security.
Freedom of information requests fit into a couple of very different, broad categories. Journalists, opposition politicians and other interested Nova Scotians seek information about government programs, decisions and spending.
Those are standard FOI requests.
But individual Nova Scotians also seek access through Freedom of Information to their own personal files held by government. Many of those files are highly sensitive and relate to people and families experiencing real crises.
Both kinds of information were held on the FOIA site.
The government’s responses to standard FOI requests were available for all, while the personal files were “protected” behind a thin veil of digital security that was penetrated using a widely known technique to mine data.
A little historical context never hurts. Some years ago, a minister of Community Services divulged a fragment of personal information gleaned from the file of an income assistance recipient. That minister — the late Edmund Morris — recognized his transgression and resigned.
He was honour-bound to do so.
Yet, when vast amounts of personal information escape from the current government’s weak grasp via a security breach termed “an utterly preventable disaster,” by the auditor general, no minister of the Crown is held accountable, none is in jeopardy of losing his or her seat at the cabinet table, and no one feels honour-bound to do a damn thing.
From the perspective of the people whose personal or family information was on that site, the risk was high. The nature of the information made it high risk.
But clearly, the government’s risk assessment wasn’t based on consideration of those people or the potentially devastating consequences they could suffer should their information fall into the wrong hands.
Therein lies the problem.
The government’s risk assessment was backwards, or inside out, but it was the opposite of what it should have been.
The government assessed the FOIA website as low risk to the government and as it turned out, they even got that wrong.
The risk the province was imposing on Nova Scotians whose private information was on that website was not a factor in arriving at the low-risk assessment. It couldn’t have been.
How could smart civil servants, fully aware of the sensitive nature of the information in question, assess the risk to those people as anything but high? They couldn’t. The logical explanation is that they didn’t consider those people at all.
That explanation leads unavoidably to a government that puts itself and its own interests first, ahead of the interests of the people it ostensibly serves. It did in this case.
It’s also a sign the government has lost sight of its purpose and the senior bureaucracy has failed to instill — or worse, killed — the “public service” ethic, the understanding that service to the public comes first, always.
The auditor general tells us the government didn’t take even the most basic steps to safeguard information on the site. Indeed, post-breach, an IT security firm identified 28 vulnerabilities on the site, eight of which were considered serious.
That assessment was done in a matter of days. Had it been done before the site went live, the government could have saved itself some political embarrassment.
But, much more importantly, it could have saved the folks whose personal files it lost a lot of hurt and worry.