Some of the most sensitive information in B.C.’s justice system, including prosecutors’ reports, police investigations and witness statements, has been left wide open to unauthorized access and abuse because of lax security within a government computer system, says the auditor general.
The JUSTIN computer system, which links police, judges and prosecutors, allowing them to share confidential information about court cases, is ripe for exploitation due to inadequate controls, auditor general John Doyle concluded in a blistering audit released Thursday.
“What we found was very, very, very serious security flaws that stretched across almost every aspect of work that we examined,” Doyle said in an interview.
There were so many problems, Doyle reached out directly to Justice Minister Shirley Bond to explain the seriousness of his 100 recommendations and ask for immediate action.
In response, Bond asked Doyle to delay the public release of his report, originally scheduled for December, while she worked to implement fixes.
“We’re now closing the stable door, but it was left open for a very long time and there are still some issues about what’s inside that need to be addressed, and addressed quickly,” said Doyle.
The JUSTIN computer system compiles details of police investigations, witness statements, witness and victim contact information, prosecutor charge statements, and even the schedules of judges. It went online in 2001, and is jointly managed by the government, judiciary and police.
Doyle’s office probed the system’s integrity using simulated attacks and tests on user access and security clearance.
He concluded security was inadequate to prevent attackers from gaining entry. Highly sensitive information wasn’t locked down properly, and too many of the 3,300 authorized users had wide access to information they shouldn’t know.
The government also lacked a way to detect unauthorized access, and “there’s probably no way to know” what sensitive information was copied from the system, by whom, for what purpose, said Doyle.
“They had turned off all the controls that would tell them what was happening,” said Doyle.
The potential for anyone, including criminals, to have somehow gained access to police and court files should outrage the public, said NDP justice critic Leonard Krog.
“The integrity of the system has been seriously compromised and it will be a long time before there’s public trust again,” said Krog.
If the government can’t find a way to determine whether information was stolen, the uncertainty will undermine confidence in many of the cases because people won’t know who was dipping into the files, said Krog.
The government has immediately tightened security, cut 800 user accounts, limited access and enabled monitoring to detect inappropriate activity, said Bond.
“We took the report very seriously,” she said.
The auditor general also heaped blame on the ministry for “a lapse in the quality of IT leadership” in how it handles computer security problems, because many of the same concerns were raised in a 2008 audit of a corrections computer system.
Despite Bond’s assurances, Doyle said he’s still getting conflicting reports from ministry staff on whether they’ll fully act on all his recommendations, so he’s planning to monitor the system and conduct a follow-up audit.
© Copyright 2013