Province to decide soon on renewing IT contract linked to private-data breach
Government has paid company more than $50M since 2004, including $245K a year for breached FOIPOP site
The Nova Scotia government will decide in the coming weeks if it will renew the IT contract for systems that include the software used to operate the Freedom of Information and Protection of Privacy portal, the website that left thousands of personal documents unprotected.
The Unisys contract ends in June and government officials said a decision would come soon.
The government has faced constant criticism since Wednesday after revealing someone accessed 7,000 documents containing sensitive and personal information that never should have been made available through the website.
The information was accessed not through a hack, but simply by altering characters in the website's URLs.
Security concerns raised in 2016
The problem was discovered last week, but the information was actually accessed between March 3 and 5. The discovery came by fluke when a government employee made a typing error on the site and gained access to people's personal information.
Concerns about the software used to operate the FOIPOP portal and other government websites were raised long before last week's revelations.
In a November 2016 report, Auditor General Michael Pickup flagged concerns about the software, known as AMANDA, noting there was work to do to fully comply with IT security standards and that services could be better managed.
Pickup noted the government spent $20 million on technical support from 2011-12 to 2015-16 for a variety of websites that use AMANDA. On average the province pays the company Unisys $4 million for support and services, Pickup found.
Since Unisys took the contract in 2004-05, the province had paid the company more than $50 million at the time of Pickup's report.
Government officials said this week the contract to operate the FOIPOP portal, which was added to a contract Unisys already had, is worth $245,000 a year.
4 of 6 recommendations not implemented
Pickup's report made six recommendations:
-
The Department of Internal Services should apply security configuration standards for AMANDA and its related infrastructure to protect the confidentiality, integrity and availability of information.
-
The department should develop and use a process to periodically obtain and assess feedback from client departments on whether AMANDA and related services meet their needs.
-
The department should develop and communicate a policy requiring departments to periodically assess their employees' AMANDA access permissions.
-
The department should better manage the Unisys contract to ensure it meets program needs and should reassess the contract terms before the 2018 renewal to ensure they meet the requirements of the province.
-
The department should assess the value for money of AMANDA before the June 2018 Unisys contract-end date.
-
The department should develop and use a process to prioritize department change requests.
Of those recommendations, government officials said on Friday only the first two are complete, while work on the other four remains in progress.
Premier Stephen McNeil wouldn't say Friday if he thought the money spent related to the FOIPOP portal was a good investment. He disputed the suggested the door was wide open on the website.
"The door wasn't wide open," McNeil told reporters. "Someone had to make changes to go get that information, to steal the information."