It’s bad enough that hackers are able to exploit software vulnerabilities in IT environments to make off with sensitive data, but too often mistakes and misconfigurations by employees also lead to data being exposed. Two incidents reported this week show how serious this can be.
CBC News discovered the first incident recently which involved perhaps a decade’s worth of unedited decisions of the Nova Scotia Workers Compensation Board Appeal Tribunal (WCAT) being posted on a Canadian legal news website called CanLII with names of workers. Some of the information also included intimate personal information about claimants. Usually, names and other identifying information in those cases are deleted.
UPDATE: CBC News reported on June 24th that the number of unredacted decisions posted around May 7 totalled 10,599 cases. Of those 555 were accessed before the decisions were taken offline on May 12.
UPDATE: In a posting to its website the Tribunal said the breach occurred when pre-2010 decisions were transferred from a government-maintained public website to CanLII. “The old government website used software which was not maintained, or used by WCAT or Nova Scotia Digital Service and needed to be shut down. The software filtered out the names of workers and employers in the published decisions. It was the Tribunal’s intention that the data transferred to CanLII was to appear without names. While there were safeguards in place for the transfer to protect privacy, these failed. The Tribunal accepts that these safeguards were inadequate. We are taking measures to ensure this will not happen again.”
- Configuration mistakes blamed for bulk of stolen records last year
- Errors blamed for 21 per cent of data breaches
Nova Scotia removed the unedited documents after being told of their discovery by CBC.
“It’s terrible to hear,” the broadcaster quoted one WCB claimant whose 2009 case was posted. “I was shocked more than anything.”
The incident involves decisions between 1998 and 2009 of the Tribunal that were uploaded to the website of the Canadian Legal Information Institute (CANLII). Lawyers and legal researchers use the decisions filed there to support their cases. However, the database is open to the public.
According to the CBC, all WCAT cases filed after 2010 had the names of the worker and their employer redacted.
Asked for comment, the tribunal issued a statement saying it “is aware of this situation, and WCAT is following the Province’s privacy breach protocol. The WCAT has reported this incident to the Privacy Review Officer.”
The provincial information and privacy commissioner’s office has been notified of the incident. Provincial legislation doesn’t mandate that victims of a WCAT data breach be notified.
In the second case, Wired.com discovered a presumably confidential U.K. health department document on a public Google drive with possible new features for the country’s COVID-19 contact tracing app. The series of slides, marked ‘OFFICIAL – SENSITIVE’, was part of a group of documents intended to be open so the public can see how the app, now in a trial, was developed.
Wired says the sensitive document was part of a group published by the U.K. National Health Service (NHS) on a Google Drive. It was accompanied by a privacy impact assessment of a U.K. COVID-19 contact tracing app now being tested and could be seen by anyone with a link. While other documents could not be accessed without approval, the sensitive slide deck with potential features wasn’t.
What could make the slide deck embarrassing to the government is it contains possible features to be added to the already controversial app now being tested among the population of the Isle of Wight. In addition to disputes over whether such mobile apps are effective in helping control the rate of infection, privacy and health experts are fighting over whether an approved app should hold encrypted contact information on a mobile device (the decentralized model pushed by Google and Apple) or uploaded to a government-controlled server (the centralized model). The U.K. app being tested uses a centralized model. However, this week news emerged that the U.K. government is also paying for the development of a decentralized app.
The slides say a future version of the app being tested could allow users to periodically enter their personal health status, as well as their postal code, demographic and location information to help the NHS in infection planning.