An investigation into the 2023 MOVEit global cybersecurity attack, which saw thousands of individuals’ and organizations’ personal information stolen, says the Nova Scotian government failed to comply with its legal obligation to reasonable security and information practices prior to the attack.
The breach occurred on May 30 and May 31, 2023, and included a file transfer service called MOVEit which is used by private sectors and governments across the world, including Nova Scotia. Hackers took advantage of vulnerabilities in the system to steal vast amounts of personal information like names, social insurance numbers, addresses, educational backgrounds, personal health information, and banking information.
The Nova Scotian government first announced it was subject to a cybersecurity attack on June 4, 2023. At the time, the provincial government used MOVEit to transfer large amounts of data over the Internet between users.
A year following the breach, the Nova Scotian government announced the response to the MOVEit hack had cost the province around $3.8 million.
Nova Scotia’s Information and Privacy Commissioner Tricia Ralph launched the investigation into the attack following 110 complaints from Nova Scotians who had their privacy breached.
Ralph says the Nova Scotian government failed to implement basic practices such as a privacy impact assessment (used to identify privacy risks of a system) and retention and disposition schedules (a list of how long to keep records and what to do with them when they are no longer needed), which Ralph says significantly increased the extent and impacts of the privacy breach.
“While the Nova Scotia Government took reasonable steps to contain the privacy breach, notified affected individuals in a timely manner, and offered an appropriate length of time for credit monitoring, there were also shortcomings in the Nova Scotia Government’s actions in response to the breach,” reads the release into the investigation.
Part of those shortcomings, the investigation points out, was the lack of sufficient information regarding the privacy breach in the notification letters sent out to affected individuals, as well as from the call centre staff tasked with responding to questions from those who had their information breached.
The investigation also found in many cases contact information used to send the breach notification letters was very outdated, meaning thousands of those affected did not receive notification of their information being breached and were then unable to take steps to protect themselves.
Following the investigation, Ralph has come up with a total of eight recommendations for the provincial government to better protect people’s personal information. Those recommendations include:
- In August 2024, the government indicated a privacy impact assessment (PIA) for MOVEit was being completed. If it was not yet finished, Ralph recommends completing a thorough and up-to-date PIA on its use of MOVEit within 60 days of the report.
- The Nova Scotian government make appropriate portions of the PIA on MOVEit publicly available on its website within 60 days of the report.
- The Nova Scotian government create clear retention and disposition schedules for all users of the MOVEit file transfer system, including the maximum amount of time files bring transferred can remain on the repository for MOVEit within 60 days of the report.
- The Nova Scotian government commit to ensuring retention and disposition schedules are followed by monitoring the use of the MOVEit system on at least a yearly basis.
- Within 60 days of the report, the Nova Scotian government confirms a commitment to consult with the Office of the Information and Privacy Commissioner (OIPC) in advance of issuing privacy breach notification letters for future major privacy breaches in a manner allowing for suggestions from the OIPC to be incorporated in the notification letters.
- The Nova Scotian government make every reasonable effort to ensure it has up-to-date contact information for all citizens it holds personal information about.
- The Nova Scotian government completes and posts a comprehensive post-incident response plan on its website within 90 days of the report.
- Further to the last recommendation, the Nova Scotian government completes the tasks set out in its published post-incident response plan and post the results for the public to view within one year of the report.
“Nova Scotians have the right to know whether the public institutions that collect and use their personal information utilize systems that are secure and defensible from cyberattacks. This is why it is so important for the Nova Scotia Government to be proactive and continuously review and update its security and information practices to stay ahead of ever-evolving threat actors,” said Ralph in the release.
“The increasing number of cyberattacks does not mean that we as citizens are forced to throw our expectation of privacy out the window. It means that we, as citizens, must demand more of the public institutions that collect personal information about us.”
The Nova Scotian government now has 30 days to formally decide if it will follow the recommendations from the investigation.
N.S. responds
The Nova Scotia government issued their own report into the MOVEit breach in May 2024, where they said the system is managed by the province’s Department of Cyber Security and Digital Solutions (CSDS).
In that report, the province said they were already taking a number of steps based on what they learned from the breach. Those steps included:
- enhancing security within the MOVEit file transfer system
- improving breach protocols and incident response to ensure there is enhanced capacity to respond to large scale breaches
- improving how data is classified and managed
- continuously reviewing, adapting and evolving their Cyber Security Strategy to strengthen abilities to respond to large scale events
- introducing recurring mandatory cyber security awareness training for all staff
- working closely with national and international jurisdictions to continue to share learnings and build capacity in Nova Scotia
In a response to CTV News on Wednesday, a spokesperson from the CSDS says the province has already taken action on many of the recommendation.
CSDS says the PIA is almost complete, and they have updated their incident management process. They also note data retention will be part of every PIA.
“Cybersecurity threats are ever-present. We will continue working to find ways to keep Nova Scotians’ personal information as secure as possible,” read the statement.
For more Nova Scotia news, visit our dedicated provincial page
