Unprotected network exposed ‘highly sensitive’ documents, says Nunavut privacy czar
Information and privacy commissioner urges affected departments to audit use of file-sharing drive
A photo of Nunavut’s legislative assembly. The territory’s information and privacy commissioner, Graham Steele, wants government departments to file reports over a serious breach of privacy involving a network drive. (Photo by Mélanie Ritchot)
Nunavut’s information and privacy commissioner calls an unprotected government network drive he discovered last year a “privacy nightmare,” and says most of the departments affected by the breach have done little to respond to the problem.
“I was shocked by what I was able to see,” Graham Steele said to Nunatsiaq News, following his release of a Jan. 28 report about his findings.
Steele began a review following a complaint he received in July about a file-sharing system called the “V: drive,” which allowed Government of Nunavut employees to share information between departments.
Each Nunavut community had its own drive, and, when used correctly, it limited who could see files to those with correct permission. But the drive was “often used incorrectly,” and when this occurred, any GN worker from that community could view any document contained within.
Steele said that he found “dozens, and maybe hundreds, of files with privacy-invasive content.”
“I saw files with personal information touching on health, education, corrections, child protection, human resources, and more,” the report states.
“Some of it was highly sensitive, like diagnoses, prescriptions, and medical photographs. Some of it, if publicly released, could have endangered the health and safety of GN employees and others. None of it should have been left unprotected on the V: drive.”
Steele is unsure of how long there had been open access to the drive, but it was “at a minimum, a number of years.”
The network drive served a useful purpose, Steele’s report said: “it allowed cross-departmental collaboration within a community.”
But there were no controls to ensure the drive was being used correctly. Some files could have been uploaded to the V:drive by accident, or because the person uploading didn’t understand privacy risks, states the report. And once a file was up, there was nobody making sure it would get deleted, which led to sensitive documents accumulating over time.
When Steele learned about the issue, he contacted the Department of Community and Government Services, which runs the government’s computer systems. Within several days, access was restricted to the network drive.
In early September, he recommended the government plan to begin to replace to reconfigure the drive. On Nov. 1, the government shut down the V: drive and replaced it with something more secure.
Then, Yuri Podmoroff, the territorial ATIPP manager, contacted each public body that had unprotected files on the network drive and told them they should do a privacy breach assessment and, where appropriate, file a privacy breach report.
“That is what the law requires,” Steele’s report states. “I then waited for the privacy breach reports to roll in. And waited. And waited.”
In the end, he said he only received two reports – one from the Department of Economic Development and Transportation, the other from the Justice Department.
The Justice Department found a breach in operational information that, Steele said, “if it got into the wrong hands, could have had significant negative consequences, and might even have put people at risk of harm.”
The Justice Department’s audit found “a surprisingly large number of GN employees had viewed the information, even though there was no operational need for them to do so,” the report states.
“The department would not have known that if it had not investigated. That is exactly why other departments need to do the same.”
Steele is still waiting for Finance, Education, Family Services, Health and Social Social Services and Community and Government Services to submit their reports, said Angela Petru, a spokesperson for the Department of Executive and Intergovernmental Affairs. Her department is responsible for administration of the Access to Information and Protection of Privacy Act.
“The list is not exhaustive and other GN departments may be asked to conduct their own investigation into the matter,” she said in an email.
Nunatsiaq News asked the affected departments about the status of their investigations. Education spokesperson Troy Rhoades was the only official to respond, with a confirmation that one is underway in his department.
Steele said he published his report to light a fire under other GN departments and public bodies that haven’t submitted their privacy breach reports.
“You owe it to the people of the territory to get that work done,” he said.
Correction: This story has been corrected to properly identify the person who contacted each public body that had unprotected files on the network drive and told them they should do a privacy breach assessment and, where appropriate, file a privacy breach report.
Incompetence from top to bottom, silly govt.
Access to Information is given basement priority within the GN. It is an annoyance and hindrance to management, a minor budget item at EIA and a desk corner for junior policy analysts. The manager of ATIPP technically manages no one.
.
CGS IT are the exact same managers who were responsible for system vulnerabilities that resulted in ransomware. No heads rolled for that, and to date no one knows the insane cost they paid for Microsoft to manage it all. It seems These same managers can’t even manage an immediate response to the Privacy Commissioner.
.
If a ransomware attack worth tens of millions and system wide breach of GN employee privacy and otherwise sensitive government information can’t do it, it is safe to these CGS IT are basically untouchable employees.
You are right on all accounts, but let’s see if things can change in the next few years. It only takes a few dedicated people with support and resources to turn things around.
And now the most prominent and widespread teaching aide is blocked in all GN classrooms; Google Classroom.
I’ve seven this a lot in corrections. Inmate files filled with confidential information, even staff letters and medical info stored haphazardly all over the Y drive system for all to see. A complete mess that no one seems to notice or care about. It is not surprising given the abundant apathy and administrative incompetence within the department. Someone should get the bosses off Facebook for a few hours and clean things up.
It takes several days to get a password reset or a response to an email internally via HelpDesk or IT. But, quite easy to access a bunch of sensitive information across departments. Are other jurisdictions seeing the amount of Malware, Phishware, Ransomware attacks as the GN? Seems to be suspiciously on conveniently frequent…
This is no surprise. I worked in Dept of Health one time & accidentally viewed this Drive. I read some pretty shocking info about a co-worker. My view of this person changed forever afterwards
I will be very surprised if Mr Steele is around for much longer, he is making the government entities be accountable, which you cant do in the north, your supposed to be friendly and shut up from what I have been told by human resources. Thankyou Nunavut government management for the complete nepotism and favorability of hiring the people you want and not the people you need. Maybe the whole government entity needs to be put into a review, oh that was already done by the canadian government and still nothing ever got better.
Commissioner Steele seems effective and fair.
Mr. Steele is going to end up like Dr. Anna Huang (former deputy chief public health officer who helped expose Iqaluit’s water problem).
The GN hires people who belong to a certain group/clique rather than qualified people with proper education and credentials.
I know some directors in the government who barely passed college, some have only highschool education but, they get hired anyway. And they don’t get fired. If they screw up, GN just moved them to another department. Southerners are terminated more easily though, usually for speaking up or doing their job a bit too well.
This is old news, by the journalist’s own admission, the V:Drive isn’t active anymore. The investigation was done in July! Find a current story. News is supposed to be new!
The report was released Jan 28th.
Sit down.
This seems to be more of training issue than anything else with a lot of GN employees not understanding what the drive is for and how it works. Disconnect the drive and train the users so they are aware of what they can and cannot put on there and then monitor it once it is back up and running.
There should be an orientation seminar for new GN employees. Employees in large have no idea about network drives and privacy in general.
Incompetence, impropriety and bureaucracy from the GN IT cabal at work.
The current One drive and SharePoint is no different than the V: drive in terms of security and privacy. I remember being asked to transfer documents owned by a department to another department (without authorization or representation) because big brother whats to have oversight.
With all exposed and the millions gifted to Microsoft you would think the current systems architecture would be better.
One would wonder why a hefty sum is paid to Gartner but there reports do not point identify these vulnerabilities. Either Gartner is incompetent or the report is doctored before it’s published.
Just like no heads rolled &there was no shake up for the ransomware (result of incompetence) I doubt anyone will be held accountable for the V:drive. The outcome expected for this goof up would probably be increased demand (by the IT Cabal) for more funding for phantom / white elephant projects and more IT resources from the sole sourced resource provider.
Just an example of quality in IT team. The manager of IT PMO cannot even pronounce Information technology or Project Management. Just a bench warmer. And the director in IT reviews timesheets of employees and individual contributors rather than focussing on strategic initiatives. What a joke?