31 January 2008

Atty Gen'l: identity theft potential exists for victims of gov't InfoSec breach

Attorney General Jerome Kennedy said today that 153 residents of the province, including 108 clients of the province's workers compensation agency, face the potential risk of identity theft as a result of a computer security breach by a consultant working for the agency.

A total of 694 files were exposed to the Internet for an undisclosed period of time, through an unspecified file-sharing program. While a forensic investigation has been conducted by at least one computer security firm, the minister did not confirm whether or not the files had actually been accessed.

The information included names, addresses, medical histories, work histories, sex and date of birth.

In a backgrounder to the lengthy news release, the provincial government confirms that until now, there was no government policy requiring outside consultants to adhere to government security protocols on access to information.

This situation appears to have existed despite five years of preparation before the government implemented privacy sections of a new access to information law. The law was implemented on January 16 and the security failure occurred on January 22. it was disclosed three days later.

The actions taken by the province's chief information officer in the wake of the breach include installing new software, holding educational sessions for employees and other actions that presumably were not done since the chief information office was created and well before the privacy rules came into effect.