A “serious lack of security testing” of Nova Scotia’s new freedom of information website was one of the main factors that allowed two people to hack the site in 2018 and make off with 7,000 documents including personal information of 740 people, says the province’s privacy commissioner.
In a report released this morning, Catherine Tully said the Department of Internal Services — which has responsibility for the freedom of information legislation — failed to recognize three key factors made the project high risk: It was the first implementation of case management software on a platform used by the government, it was the first use of the freedom of information website, and both were to be hosted in the cloud and serviced by a vendor.
In fact, the department “failed to complete a timely and specific security threat and risk assessment after the clear recommendation to do so from Department Cyber Security staff” and Tully herself.
As a result no-one caught a serious flaw: The mingling in a database of numbered documents intended to be private as well as documents intended to be available to the public. The document numbers were visible in each pages’ URL called up on the site. The non-public documents should have had an identifier the database should have used to act as a filter on their numbers so they couldn’t be publicly accessed on the site. Instead, all anyone needed to do to access any document was change the last digit in any document that was pulled up on screen.
And that’s what happened. One user made several attempts to access different documents, not through searches but entering different numbers in the URL before finally figuring out the weakness. This attack ended up apparently being automated, for it got thousands of pages. The second person got fewer documents, probably because they were accessed one page at a time.
According to the Halifax Chronicle-Herald, Police arrested a 19-year-old man in connection with one of the breaches on April 11, however the case was dropped in May after police determined the teen didn’t intend to commit a crime by accessing the information.
“Ultimately, this series of privacy breaches was preventable and was caused by a serious failure of due diligence in the deployment of a new technology tool,” Tully said.
“The need for independent and knowledgeable technical assessment and security testing of a tool being considered for deployment cannot be overstated in the age where applications, software and web-enabled technology tools of all size and description are being developed by vendors and marketed to public bodies regularly.
“Taking the time to diligently assess a tool at all stages of a project, before deployment, is not only necessary to meet the requirements of Nova Scotia’s existing policies, it is also statutorily required by our privacy laws.”
Although the project involved two suppliers — CSDC Inc., which developed the Amanda 7 enterprise platform used across many provincial departments, and sold licences for a case management software called AccessPro; and Unisys, which provided project management, configuration and hosting services for the website project — Tully faulted Internal Services the most, saying it incorrectly rated the risks as low based at least in part on the trusted relationship with the vendors.
“This relationship inspired a sense that the projects were low risk which permeated all aspects of the project development and deployment,” she said.
The project management process and user testing did not incorporate any technical testing and failed to recognize the risk associated with the storage database design – specifically the storage of public and private documents in the same database.
The department also failed to act on information that there were risks associated with the lack of website vulnerability scanning.
There was a privacy impact assessment, but, Tully said, it “was neither diligent nor rigorous.” Instead the government relied on one vendor for technical security measures included in the assessment.
The new website was developed during 2016 to give Nova Scotians the ability to request access to non-sensitive government information. The site was an add-on to the AccessPro solution. But among the problems was pressure to get the site online. Had there been better user testing of AccessPro and the website it would been clear that all documents were stored in the same location and that document status was merely a display filter, said Tully.
“Maintaining privacy and restricted access to personal information and attachments intended for individual recipients separate from documents approved for public release was a fundamental assumption of the project. Witnesses gave evidence that this core requirement was communicated to the vendor. However, as the (freedom of information) website project progressed, no one in
project management or within the user group unit (IAP Services) questioned whether the technology solution could deliver what was intended. This occurred despite the mounting concerns within the user group about the quality of the product from CSDC.”
Among Tully’s recommendations:
— Strengthen privacy leadership in government and due diligence in the privacy impact assessment process;
–Take immediate steps to contain the breaches that resulted in the download of 618 documents containing personal information to a private computer that has not been secured by the department;
— Take all reasonable steps necessary to notify individuals affected by the download of the 618 documents containing personal information;
— Conduct an internal post-incident review as an aid to ensuring that the department fully understands the causes of these breaches and has identified all reasonable steps necessary to prevent future similar errors;
— Conduct an inventory of technology solutions, devices and applications across government and rate their vulnerabilities. From there create a plan to mitigate cyber security vulnerabilities beginning with systems storing the most vulnerable personal
information and/or having the highest risk;
— Clarify and strengthen the role of the province’s computer system Architecture Review Board. The board “was rendered ineffective as an administrative safeguard by insufficient authority, too narrow a mandate in practice, and lack of explicit formalized processes and technical security standards.”
The department has accepted all of the recommendations.
“This investigation, along with other recent privacy breach investigations, have made it clear that our privacy laws are woefully lacking, Tully added. “As a result, I have again written to the Premier to recommend that the changes I recommended almost two years ago be implemented,” including amendments to improve privacy breach management, notification and the powers of her office to conduct investigations.