Government failings exacerbated 2023 breach, says N.S. privacy commissioner

Nova Scotia's information and privacy commissioner says the provincial government did not have reasonable security and information practices in place before a massive security breach in 2023 involving a file transfer service.

Tricia Ralph released her investigation report into the MOVEit privacy breach on Wednesday, finding that the province's protocols before the breach exacerbated the impact of the cybersecurity attack, and some of its actions afterward increased stress for the victims.

"We, as citizens, must demand more of the public institutions that collect personal information about us," Ralph said in a news release about her report. "Real leadership at the highest level in the Nova Scotia government is needed to ensure that adequate security and information practices, which are required by law, are implemented."

The breach came to light in June 2023 and the Nova Scotia government held a rare Sunday afternoon news conference to alert the public of a "global cybersecurity issue" that resulted in the theft of personal information.

The cybersecurity attack was part of a huge global breach involving MOVEit, a file transfer service used by the public and private sector to share personal information. The breach affected an estimated 18.5 million people worldwide.

100,000 Nova Scotians affected

At the time, Colton LeBlanc, the minister responsible for cybersecurity and digital solutions, told reporters the government didn't know how many Nova Scotians were affected or what information was stolen.

In the following days, it became clear that about 100,000 Nova Scotians were affected, including current or past employees of Nova Scotia Health, the IWK and the provincial civil service. The stolen information included banking details, home addresses, social insurance numbers, health card numbers and dates of birth.

Later, additional affected groups were identified by the government, including newborns, students, people who received parking tickets, and teachers, among many others.

Nova Scotia's information and privacy commissioner launched her investigation into the breach that December.

Report findings

Ralph's report says basic practices — such as completing a privacy impact assessment, a tool that identifies risks of a system — were not implemented and the government was therefore not in compliance with the Freedom of Information and Protection of Privacy Act or the Personal Health Information Act.

The government did not tell users of the MOVEit system how long they should keep files in it, the report says, and MOVEit ended up being used as a "repository for extraneous records," in some cases for years rather than the default of 14 days. The retention of those unnecessary records in the system made the extent of the breach significantly worse, Ralph's report says.

Ralph found that in the wake of the breach, some of the province's actions were reasonable, such as notifying affected people quickly and offering credit monitoring for five years.

But she said the notification letters to breach victims did not have enough information, adding to their stress and worry. The government's contact information for victims was also outdated, so many did not even receive notification and could not take steps to protect themselves. At least 14,000 of the 168,000 letters that were mailed out were returned due to a wrong address.

The Office of the Information and Privacy Commissioner received 110 complaints from Nova Scotians about the breach.

Commissioner's recommendations

Ralph issued eight recommendations in her report, including that the government specify the maximum time that files can remain in the MOVEit system, that it monitor the use of MOVEit at least yearly, and that it make public the appropriate portions of its privacy impact assessment on MOVEit.

Ralph also recommended that the government consult with the Office of the Information and Privacy Commissioner before issuing any future privacy breach notification letters, and make every effort to update the contact information the government holds on residents.

In an interview with CBC's Mainstreet Halifax, Ralph said while there were many lessons for government stemming from the MOVEit breach, there were also lessons for residents.

"They can and they should be asking government questions: 'What practices do you have in place to safeguard the information you're collecting about me?'"

She said people should also ask why certain pieces of information are being collected, and if it is necessary.

"We should be asking and demanding more from our governments.… We have the right to ask about it, and we have the right to set expectations in terms of what security measures are put in place."

Government response

The news release said the government is considering Ralph's report and will have 30 days to decide whether it will follow her recommendations.

A spokesperson for the Department of Cyber Security and Digital Solutions said in a statement the government has issued its own report and has already acted on many of Ralph's recommendations. Rachel Boomer said the privacy impact assessment is almost complete, the government has updated its incident management process, and data retention will be part of every privacy impact assessment.

"Cybersecurity threats are ever-present," the statement said. "We will continue working to find ways to keep Nova Scotians' personal information as secure as possible."