Pin It
Favourite

Wednesday, March 15, 2017

Police accidentally release social media passwords to The Coast

HRP unaware the private information was given out until we noticed and told them about it.

Posted By on Wed, Mar 15, 2017 at 4:49 PM

click to enlarge The Coast wrote none of these tweets, but we could have.

It took several months of trying and a Freedom of Information request to get ahold of the police department’s Drug Exhibit Audit last year. Far easier than obtaining that public report was gaining access to the department’s private social media passwords, which Halifax Regional Police mistakenly and unknowingly released to The Coast.

Two weeks ago, communications advisor Cindy Bayers emailed us a copy of the police department’s Social Media Monitoring Manual as part of her response to questions about HRP's tweeting habits. The 15-page document contains basic rules on grammar and tone as well as guidelines for comment moderation.

It also includes step-by-step instructions for using HRP’s Facebook, Twitter, Photobucket and Hootsuite accounts, along with the corresponding usernames and passwords. The department was not aware of the mistake until The Coast contacted Halifax Police about it earlier this week.

“It was an error to not redact the passwords prior to the manual being sent to you,” emails Bayers. “In future, our documents will be vetted by our FOIPOP office prior to sending.”

The information was accurate at the time of the manual’s publication in February 2016, but Bayers says only two passwords hadn’t been changed since that time.

One of the still-active logins was for HRP’s Hootsuite account, which provides full access to all of the department’s Twitter accounts. The other was the email and password used to access the halifax.ca/police admin page where press releases are created and published.

click to enlarge VIA HRP
  • VIA HRP
It’s “potentially a serious screw-up,” says David Fraser, a privacy and technology lawyer with McInnes Cooper.

“[The Coast] is trustworthy, I presume, but credentials like that could be used for some pretty mischievous purposes,” he says. “There’s a lot of power in those passwords.”

The unsecured entry points have since had their passwords reset.

Fraser says he's glad to hear the police are using a combination of letters, numbers and symbols in their social media passwords, but he’s less impressed the login details weren’t being regularly changed and were so casually documented.

“Login credentials should never be stored in a manner where they’re even potentially widely accessible like that,” he says. “I think, kind of, just basic information security practices says that should be the case.”

According to Bayers, the department had already been having earnest discussions over the last few weeks about a new “password strategy” for its social media, which when implemented will begin changing the login info every month.

The Social Media Monitoring Manual is used by the public relations unit to help train HRP staff tasked with monitoring police social media accounts. You can read the full document below. To the best of Bayers’ knowledge, it hasn’t been shared with any other members of the public or media.



Tags: , , , , ,

Comments (6)

Showing 1-6 of 6

Add a comment

 
Subscribe to this thread:
Showing 1-6 of 6

Add a comment

Remember, it's entirely possible to disagree without spiralling into a thread of negativity and personal attacks. We have the right to remove (and you have the right to report) any comments that go against our policy.

Coast Top Ten

In Print This Week

Vol 24, No 43
March 23, 2017

Cover Gallery »


Real Time Web Analytics

© 2017 Coast Publishing Ltd.