Latest news with #TriciaRalph
Yahoo
19-02-2025
- Health
- Yahoo
Government failings exacerbated 2023 breach, says N.S. privacy commissioner
Nova Scotia's information and privacy commissioner says the provincial government did not have reasonable security and information practices in place before a massive security breach in 2023 involving a file transfer service. Tricia Ralph released her investigation report into the MOVEit privacy breach on Wednesday, finding that the province's protocols before the breach exacerbated the impact of the cybersecurity attack, and some of its actions afterward increased stress for the victims. "We, as citizens, must demand more of the public institutions that collect personal information about us," Ralph said in a news release about her report. "Real leadership at the highest level in the Nova Scotia government is needed to ensure that adequate security and information practices, which are required by law, are implemented." The breach came to light in June 2023 and the Nova Scotia government held a rare Sunday afternoon news conference to alert the public of a "global cybersecurity issue" that resulted in the theft of personal information. The cybersecurity attack was part of a huge global breach involving MOVEit, a file transfer service used by the public and private sector to share personal information. The breach affected an estimated 18.5 million people worldwide. 100,000 Nova Scotians affected At the time, Colton LeBlanc, the minister responsible for cybersecurity and digital solutions, told reporters the government didn't know how many Nova Scotians were affected or what information was stolen. In the following days, it became clear that about 100,000 Nova Scotians were affected, including current or past employees of Nova Scotia Health, the IWK and the provincial civil service. The stolen information included banking details, home addresses and social insurance numbers. Later, additional affected groups were identified by the government, including newborns, students, people who received parking tickets, and teachers, among many others. Nova Scotia's information and privacy commissioner launched her investigation into the breach that December. Report findings Ralph's report says basic practices — such as completing a privacy impact assessment, a tool that identifies risks of a system — were not implemented and the government was therefore not in compliance with the Freedom of Information and Protection of Privacy Act or the Personal Health Information Act. The government did not tell users of the MOVEit system how long they should keep files in it, the report says, and MOVEit ended up being used as a "repository for extraneous records." The retention of those unnecessary records in the system made the extent of the breach significantly worse, Ralph's report says. Ralph found that in the wake of the breach, some of the province's actions were reasonable, such as notifying affected people quickly and offering credit monitoring for five years. But she said the notification letters to breach victims did not have enough information, adding to their stress and worry. The government's contact information for victims was also outdated, so many did not even receive notification and could not take steps to protect themselves. The Office of the Information and Privacy Commissioner received 110 complaints from Nova Scotians about the breach. Commissioner's recommendations Ralph issued eight recommendations in her report, including that the government specify the maximum time that files can remain in the MOVEit system, that it monitor the use of MOVEit at least yearly, and that it make public the appropriate portions of its privacy impact assessment on MOVEit. Ralph also recommended that the government consult with the Office of the Information and Privacy Commissioner before issuing any future privacy breach notification letters, and make every effort to update the contact information the government holds on residents. The news release said the government is considering Ralph's report and will have 30 days to decide whether it will follow her recommendations. MORE TOP STORIES
CBC
19-02-2025
- Health
- CBC
Government failings exacerbated 2023 breach, says N.S. privacy commissioner
Nova Scotia's information and privacy commissioner says the provincial government did not have reasonable security and information practices in place before a massive security breach in 2023 involving a file transfer service. Tricia Ralph released her investigation report into the MOVEit privacy breach on Wednesday, finding that the province's protocols before the breach exacerbated the impact of the cybersecurity attack, and some of its actions afterward increased stress for the victims. "We, as citizens, must demand more of the public institutions that collect personal information about us," Ralph said in a news release about her report. "Real leadership at the highest level in the Nova Scotia government is needed to ensure that adequate security and information practices, which are required by law, are implemented." The breach came to light in June 2023 and the Nova Scotia government held a rare Sunday afternoon news conference to alert the public of a "global cybersecurity issue" that resulted in the theft of personal information. The cybersecurity attack was part of a huge global breach involving MOVEit, a file transfer service used by the public and private sector to share personal information. The breach affected an estimated 18.5 million people worldwide. 100,000 Nova Scotians affected At the time, Colton LeBlanc, the minister responsible for cybersecurity and digital solutions, told reporters the government didn't know how many Nova Scotians were affected or what information was stolen. In the following days, it became clear that about 100,000 Nova Scotians were affected, including current or past employees of Nova Scotia Health, the IWK and the provincial civil service. The stolen information included banking details, home addresses and social insurance numbers. Later, additional affected groups were identified by the government, including newborns, students, people who received parking tickets, and teachers, among many others. Nova Scotia's information and privacy commissioner launched her investigation into the breach that December. Report findings Ralph's report says basic practices — such as completing a privacy impact assessment, a tool that identifies risks of a system — were not implemented and the government was therefore not in compliance with the Freedom of Information and Protection of Privacy Act or the Personal Health Information Act. The government did not tell users of the MOVEit system how long they should keep files in it, the report says, and MOVEit ended up being used as a "repository for extraneous records." The retention of those unnecessary records in the system made the extent of the breach significantly worse, Ralph's report says. Ralph found that in the wake of the breach, some of the province's actions were reasonable, such as notifying affected people quickly and offering credit monitoring for five years. But she said the notification letters to breach victims did not have enough information, adding to their stress and worry. The government's contact information for victims was also outdated, so many did not even receive notification and could not take steps to protect themselves. The Office of the Information and Privacy Commissioner received 110 complaints from Nova Scotians about the breach. Commissioner's recommendations Ralph issued eight recommendations in her report, including that the government specify the maximum time that files can remain in the MOVEit system, that it monitor the use of MOVEit at least yearly, and that it make public the appropriate portions of its privacy impact assessment on MOVEit. Ralph also recommended that the government consult with the Office of the Information and Privacy Commissioner before issuing any future privacy breach notification letters, and make every effort to update the contact information the government holds on residents.
