The Nova Scotia Government shut down its Freedom of Information website on Thursday April 5th, after discovering private PDFs located on the government website could be viewed simply by changing file numbers in the URL. A government employee discovered the flaw when doing some research on the site. The employee inadvertently made an entry to a line on the site and identified that they were seeing documents they should not have seen. An Internal Services investigation found more than 7,000 PDF documents had been downloaded by a "non-authorized user" between March 3-5. The government informed police on Saturday April 7th. Yesterday, a 19-year-old Halifax man was charged by police with unauthorized use of a computer. The vulnerability in the system allowed the accused to write a script of computer code that allowed them to sequentially access every document available on the portal. The government estimates the number of Nova Scotians who are affected to be “in the thousands.” The sensitive information accessed includes birth dates, social insurance numbers, addresses and government-services client information. Credit card information was not accessed during the breach, as that type of information is stored elsewhere.
These are the facts so far in this case. Many questions come up when a breach like this happens. Why did the Government wait to notify potentially affected people? Why did it take so long for this flaw to be discovered? What might this hacker have done with this information? Are there more safeguards that could be put in place to prevent this from happening in the future?
According to Internal Services Minister Patricia Arab, "We wanted the person responsible for this to not know that we knew that this had happened. We needed to let Halifax Regional Police do their job and couldn't compromise the nature of their investigation." Supt. Jim Perrin of the Halifax Regional Police, “told reporters police did not make that request. He could not say if advising people would have compromised the investigation.” Nova Scotia’s protocols for a privacy breach state it is supposed to inform people as soon as possible, unless otherwise instructed by law enforcement. It seems the government may be in violation of its own rules. In the short term, it looks like hacker has been caught!
As to the question, why did it take so long to find out about this breach, some experts are putting the blame on the government: “Certainly, it sounds like it was really bad security,” says David Fraser, a lawyer with McInnes Cooper who specializes in cybersecurity and privacy law. “One would think a provincial government that has an obligation to safeguard sensitive information would be aware of such a trivial way of getting access to data.” While ultimately the government is responsible for the records they keep online, the Freedom of Information and Protection of Privacy (FOIPOP) website is managed by third-party service providers Unisys and CSDC Systems. Unisys describes itself as, “a global information technology company that builds high-performance, security-centric solutions for the most digitally demanding businesses and governments on Earth.” CSDC Systems describe themselves as helping “governments manage all types of compliances: Permitting, Licensing, Code Compliance, Public Safety, Public Health, Environment Safety, Vehicle Safety, Tax Compliance, Freedom of Information Compliance, Legal Compliance and Courts Automation.” A quick check of their website shows case studies of other governments around the world they’ve worked with. This is the case study for their work with the Province of Nova Scotia.
It goes to show, you are only as secure as your third party service providers. CSDC said it learned of the "vulnerability" on April 5. CDSC said in an email to media that "This is an isolated incident and no other CSDC products or customers have been impacted," and are currently working on a patch. It remains to be seen if perhaps a regular vulnerability scan would have potentially brought this issue to light before these records were unlawfully accessed.
Even though no credit card or payment information was obtained, birthdays, addresses and Social Insurance numbers can all be used to steal someone’s identity for fraud. The internal services division of the government is in the process of contacting people who were affected by the breach and will offer to pay for third party credit checks where costs are involved.
What kind of safeguards could have been made to prevent this from happening in the first place? Without knowing what kind of security practices the government and their security providers were actually using, we can speculate that perhaps these best practices might have helped. Testing of source code in the web applications being used for security vulnerabilities is a good best practice. In Dave Millier’s book, Breached, Millier discusses the practice of a Software Development Life Cycle (SDLC). The SDLC calls for the security team to be involved right at the beginning of the development cycle to find bugs before going “live”. Another preventative measure that might have helped would be ongoing vulnerability scanning and patch management. A Risk-Based Approach to Vulnerability Remediation Management might have found this vulnerability and fixed the problem before this happened.