On two occasions in March 2017, an “unknown party” accessed the names and email addresses of 270 people signed up to use a feature on the Yukon Workers’ Compensation Health and Safety Board website, the board announced Thursday.

A vulnerability in the software used to host the website enabled the privacy breach, board spokesperson Andrew Robulack explained at a media briefing this morning.

From December 2013 to March 6, 2018, anyone with knowledge of the software vulnerability and the specific website URL could have accessed a page where the 270 names and emails were published.

The board does not know the identity of the party who accessed the information.

Robulack, however, characterized it as “a harvester, someone who’s looking for easy information ... that they can harvest from the web.”

He said it appears “they were taking effort to obscure themselves, so it looks like someone who probably does this sort of thing on a regular basis, looking for information.”

After an IT system audit brought the vulnerability to the board’s attention last Friday, it was resolved on Tuesday.

It’s unknown if the exposed information was accessed prior to March 2016, as files on the server only maintain 24 months of activity data.

On Thursday, the board contacted the 270 people with names and emails exposed by the vulnerability.

They were signed up to use a “library” feature on the board’s website, which allows users to bookmark pages on the site.

“The extent of the responses so far has been ‘thank you for letting ... me know,’” Robulack said.

“There is no risk that any personal, financial, sensitive or confidential information was accessed as a result of this breach,” according to the board.

The system that hosts the board’s website does not host claimant or employer information.

“It’s worth pointing out that name and email address – this is directory information, this is sort of common information that people might have out there to the public anyway,” Robulack said, emphasizing the limited scope of the exposure.

However, the board felt this was a “significant enough breach that we had to make a public statement about it, become accountable to it,” he explained.

The software that fostered the vulnerability is called Kentico.

“It’s questionable whether we will continue to license this software,” Robulack said.

The board is also reconsidering future use of the “library” feature.

This is the first time the board has experienced an online privacy breach.

It has an extensive privacy program in place, according to Robulack, and “we do deal with privacy breaches – I wouldn’t say frequently, but they occur on a regular basis.”

However, they’re more in the line of business operations, he said, such as faxing claimant medical information to the wrong doctor.

Any time privacy is compromised, the board responds with standard breach protocol.

That includes notifying affected parties, taking corrective action, and looking to future prevention.

The board wants to institute IT system-wide audits, like the one that identified the software vulnerability, on a regular basis.

“We regret this event, there’s no other way to say it,” Robulack said.

“And it’s leading us already to work harder than we already do to protect the privacy and confidentiality of every person who interacts with us as an organization.”