Technical glitch exposes candidates’ private information on government Web site
When legal researcher Russell Prime filled out an online job application for the Government of Nova Scotia early this week, he didn’t expect his work history to show up in a simple search at a departmental home page.
But that was what happened this week when Canadian HR Reporter typed in a few keywords at the site in the course of research.
It was all there, the broad outlines of his life: his previous jobs, his church involvement, his personal phone number.
Prime’s wasn’t the only job application that the province let loose in cyberspace up until Wednesday. A search for “secretary” brought up half a dozen job applicants. A search for common terms like “ESL” or “project” would bring up several more applications, some with home addresses, others with badly spelled cover letters.
Some were submitted as far back as January 2002; others were filled out just hours before the Public Service Commission was alerted to the problem Wednesday. They targeted positions in a variety of departments, from entry levels to as high up as “senior corporate policy analyst.”
Prime is about to finish off two part-time contracts in Digby, N.S., so he doesn’t mind people knowing that he’s looking for work. And with a computer background, Prime already knows that nothing is 100 per cent secure on the Internet. But it’s hard not to divulge important information about oneself on a job application, he adds.
“There might be people who are divorced and who don’t want their spouses to know where they live,” he added. “I can see where this information would be very detrimental to those people.”
Province looking for answers
Cathy Shaw, spokesperson for Nova Scotia’s Public Service Commission, told Canadian HR Reporter that staff at the commission were trying to find out how long the breach of security was in place, how many applications were exposed, and how many outsiders had accessed the application forms before the problem was repaired.
“The technical issue is related to a file on a server. The protection that was applied to that file folder was disabled, and we’re trying to find out when that occurred. So it’s a small coding error, and this sort of error can occur no matter what system you have. But it was certainly meant to be in a secured area,” said Shaw.
The IT department is also trying to find whether a similar problem could have affected other government files, she said, adding that a thorough review of the Web site last summer — the last time the site was reviewed — didn’t turn up any problem, she said.
New era of privacy awareness
This security lapse occurred in a new era of privacy awareness, with employers under pressure to do a better job of protecting the personal information of both customers and employees. Effective Jan. 01 2004, almost all private businesses in the country will be covered by a new privacy protection law, the Personal Information Protection and Electronic Document Act (PIPEDA) until provinces can produce “substantially similar” legislation of their own (for more on PIPEDA, click on the article link below).
Darce Fardy, Freedom of Information and Privacy Review Officer, said this was a serious breach of the province’s own Freedom of Information and Protection of Privacy Act.
“I would be looking for the government to come back to me with a report on how this happened, and what the government is doing to ensure Nova Scotians that their information is not out there, accessible to anyone who would care to look for it,” he said. He added, however, that penalties for violating the act would apply only when the breach was done out of malice.
He said that although the province’s privacy law doesn’t provide for penalties or civil claims for such privacy lapses, the stick to wave at corporations is public trust.
“If people felt that the Web site isn’t secure, then they wouldn’t be making use of them, and that would certainly put the government back in terms of its ability to recruit.”
At the Ottawa-based Commonwealth Centre for e-Governance, executive director Thomas Riley said even if security lapses like this might be technical, the broader cause is operational. “The thing about technology is that it creates dangers and results in people’s personal information getting out there. Organizations certainly have to have a system to catch technical glitches and they have to monitor their own infrastructure to make sure that the secure channels are secure.”
Planning
Ann Cavoukian, Information and Privacy Commissioner of Ontario, said organizations have to get into the habit of thinking about security at the design level. “This sort of things happens with great frequency. And a lot of the security breaches are not intentional. Organizations always say that they didn’t mean it, and we accept that. But you can design your software in such a way to prevent or minimize the disclosure.” Put up firewalls, come up with a policy about who can access what information, and encrypt the data, she said.
“If you encrypt or code your sensitive information, what would have happened in this case is the same information would be revealed online, but the resumes, for example, would appear as gibberish.”
As for Prime, he will hesitate the next time he comes across an online application submission form, but he knows he can’t avoid them together. Like other job candidates whose files were displayed at the Nova Scotia Web site, Prime is learning to live with a certain sense of powerlessness, a certain amount of acceptance that there are always potential risks to his privacy.
“I don’t think I can stop these online application forms altogether, so I guess I’ll just try to keep my personal information out of these things.”
But that was what happened this week when Canadian HR Reporter typed in a few keywords at the site in the course of research.
It was all there, the broad outlines of his life: his previous jobs, his church involvement, his personal phone number.
Prime’s wasn’t the only job application that the province let loose in cyberspace up until Wednesday. A search for “secretary” brought up half a dozen job applicants. A search for common terms like “ESL” or “project” would bring up several more applications, some with home addresses, others with badly spelled cover letters.
Some were submitted as far back as January 2002; others were filled out just hours before the Public Service Commission was alerted to the problem Wednesday. They targeted positions in a variety of departments, from entry levels to as high up as “senior corporate policy analyst.”
Prime is about to finish off two part-time contracts in Digby, N.S., so he doesn’t mind people knowing that he’s looking for work. And with a computer background, Prime already knows that nothing is 100 per cent secure on the Internet. But it’s hard not to divulge important information about oneself on a job application, he adds.
“There might be people who are divorced and who don’t want their spouses to know where they live,” he added. “I can see where this information would be very detrimental to those people.”
Province looking for answers
Cathy Shaw, spokesperson for Nova Scotia’s Public Service Commission, told Canadian HR Reporter that staff at the commission were trying to find out how long the breach of security was in place, how many applications were exposed, and how many outsiders had accessed the application forms before the problem was repaired.
“The technical issue is related to a file on a server. The protection that was applied to that file folder was disabled, and we’re trying to find out when that occurred. So it’s a small coding error, and this sort of error can occur no matter what system you have. But it was certainly meant to be in a secured area,” said Shaw.
The IT department is also trying to find whether a similar problem could have affected other government files, she said, adding that a thorough review of the Web site last summer — the last time the site was reviewed — didn’t turn up any problem, she said.
New era of privacy awareness
This security lapse occurred in a new era of privacy awareness, with employers under pressure to do a better job of protecting the personal information of both customers and employees. Effective Jan. 01 2004, almost all private businesses in the country will be covered by a new privacy protection law, the Personal Information Protection and Electronic Document Act (PIPEDA) until provinces can produce “substantially similar” legislation of their own (for more on PIPEDA, click on the article link below).
Darce Fardy, Freedom of Information and Privacy Review Officer, said this was a serious breach of the province’s own Freedom of Information and Protection of Privacy Act.
“I would be looking for the government to come back to me with a report on how this happened, and what the government is doing to ensure Nova Scotians that their information is not out there, accessible to anyone who would care to look for it,” he said. He added, however, that penalties for violating the act would apply only when the breach was done out of malice.
He said that although the province’s privacy law doesn’t provide for penalties or civil claims for such privacy lapses, the stick to wave at corporations is public trust.
“If people felt that the Web site isn’t secure, then they wouldn’t be making use of them, and that would certainly put the government back in terms of its ability to recruit.”
At the Ottawa-based Commonwealth Centre for e-Governance, executive director Thomas Riley said even if security lapses like this might be technical, the broader cause is operational. “The thing about technology is that it creates dangers and results in people’s personal information getting out there. Organizations certainly have to have a system to catch technical glitches and they have to monitor their own infrastructure to make sure that the secure channels are secure.”
Planning
Ann Cavoukian, Information and Privacy Commissioner of Ontario, said organizations have to get into the habit of thinking about security at the design level. “This sort of things happens with great frequency. And a lot of the security breaches are not intentional. Organizations always say that they didn’t mean it, and we accept that. But you can design your software in such a way to prevent or minimize the disclosure.” Put up firewalls, come up with a policy about who can access what information, and encrypt the data, she said.
“If you encrypt or code your sensitive information, what would have happened in this case is the same information would be revealed online, but the resumes, for example, would appear as gibberish.”
As for Prime, he will hesitate the next time he comes across an online application submission form, but he knows he can’t avoid them together. Like other job candidates whose files were displayed at the Nova Scotia Web site, Prime is learning to live with a certain sense of powerlessness, a certain amount of acceptance that there are always potential risks to his privacy.
“I don’t think I can stop these online application forms altogether, so I guess I’ll just try to keep my personal information out of these things.”
