B.C.’s police records management system remains vulnerable to “internal attacks” even though improvements have been made since a 2013 provincial audit, says auditor general Carol Bellringer.
The PRIME B.C. computer system — which shares millions of police files, criminal records, 911 calls, contact names and other sensitive data between municipal police departments and RCMP detachments — was reviewed by Bellringer last year to see if recommendations in the previous audit were implemented.
Bellringer said Tuesday the report found PRIMECorp, the company that runs PRIME, “has made significant changes to improve security since our 2013 audit, but controls are not strong enough to properly protect the system from all cyber threats. The consequences of not keeping up with best practices in security could compromise public and police safety.”
Bellringer found that PRIME — the Police Records Information Management Environment — had adequate perimeter controls to protect against external cyber attacks, but suggested better tools to detect and prevent cyberattacks launched within the internal network.
She recommended that the confidential data stored in the PRIME-BC system be protected with multiple layers of security.
Bellringer did not go into detail about security flaws found in 2013 or existing internal security flaws in order to avoid giving a road map on how to exploit those vulnerabilities.
“The Auditor General Act requires that we report publicly on our audit. In this audit, some of our results show security weaknesses that could potentially expose the system,” Bellringer said.
A detailed breakdown of the security flaws was provided to PRIMECorp’s board of directors and “the exposures are already being remedied as we speak,” she said.
Bellringer said while there hasn’t been a breach with the PRIME system since it launched in 2001, information contained in the database is highly sensitive.
“It includes everything from someone calling in on a 911 call or any other contact with police, all the way through to the completion of the police investigation and the reports that they generate,” she said.
“There would be information in there around criminal records, victims, it would have the link to other police systems so if any information was downloaded from [those systems] it would be in the report as well.”
The original audit was launched by then-auditor general John Doyle after serious security flaws were found with the B.C. government’s justice computer database JUSTIN.
