In addition to a Halifax teenager's computer, eleven other IP addresses downloaded 900 public-facing documents containing private information from the province's Freedom of Information web portal this past March.
The additional leaks were disclosed Monday as part of an overall update on the FOI privacy nightmare that's engulfing the
The Freedom of Information and Protection of Privacy (FOIPOP) website has been offline since early April when a government employee accidentally discovered an obvious security flaw that allowed for the easy access of personal files simply by altering numbers in URLs.
It was an oversite that allowed a 19-year-old man in Halifax to download 7,000 documents between March 3 and 5. The teenager, who has told the media he was only conducting research on what he thought were public documents, is awaiting a day in court on a charge of unauthorized computer use.
The province says this latest round of data leaks contain 900 documents downloaded by 11 different IP addresses from late February to early April. All of the files were part of the same 7,000 documents already accidentally released.
The 11 additional IP addresses—all from Nova Scotia—have also been forwarded to Halifax Regional Police to investigate.
The news was met with harsh words from opposition critics.
Interim Progressive Conservative leader Karla MacFarlane says the latest breach proves the Liberal government can’t be trusted to keep personal data safe.
“The Liberals left the portal wide open. They used full force to arrest a 19-year-old kid but now they must be left scratching their heads,” she says in a written statement. “This is pure incompetence.”
Dave Wilson, NDP Internal Services critic, says in an emailed statement that the province shouldn’t be surprised the data was accessed multiple times given its weak security.
“Premier McNeil and his government need to acknowledge the system in place wasn’t good enough and tell people what is being done moving forward to protect private information.”
Provincial spokesperson Brian Taylor says the extra abnormal activity was flagged by vendor Unisys and confirmed by Internal Services staff two weeks ago on April 17.
The 53 people impacted by these latest security failures would have already received a letter informing them that their information was put at risk in the prior breach. Nevertheless, another round of letters will be sent out.
The province’s privacy commissioner and auditor general are both working on parallel investigations into the FOIPOP mess, while IT staff and Unisys work get the website back online—and finally secured.