Whitehorse Daily Star

Image title

Photo by Vince Fedoroff

A REGRETTABLE EVENT – Andrew Robulack, a spokesman for the Yukon Workers’ Compensation Health and Safety Board, discusses the privacy breach at this morning’s news conference in Whitehorse.

Board discloses breach of privacy incident

On two occasions in March 2017,

By Taylor Blewett on March 9, 2018

On two occasions in March 2017, an “unknown party” accessed the names and email addresses of 270 people signed up to use a feature on the Yukon Workers’ Compensation Health and Safety Board website, the board announced Thursday.

A vulnerability in the software used to host the website enabled the privacy breach, board spokesperson Andrew Robulack explained at a media briefing this morning.

From December 2013 to March 6, 2018, anyone with knowledge of the software vulnerability and the specific website URL could have accessed a page where the 270 names and emails were published.

The board does not know the identity of the party who accessed the information.

Robulack, however, characterized it as “a harvester, someone who’s looking for easy information ... that they can harvest from the web.”

He said it appears “they were taking effort to obscure themselves, so it looks like someone who probably does this sort of thing on a regular basis, looking for information.”

After an IT system audit brought the vulnerability to the board’s attention last Friday, it was resolved on Tuesday.

It’s unknown if the exposed information was accessed prior to March 2016, as files on the server only maintain 24 months of activity data.

On Thursday, the board contacted the 270 people with names and emails exposed by the vulnerability.

They were signed up to use a “library” feature on the board’s website, which allows users to bookmark pages on the site.

“The extent of the responses so far has been ‘thank you for letting ... me know,’” Robulack said.

“There is no risk that any personal, financial, sensitive or confidential information was accessed as a result of this breach,” according to the board.

The system that hosts the board’s website does not host claimant or employer information.

“It’s worth pointing out that name and email address – this is directory information, this is sort of common information that people might have out there to the public anyway,” Robulack said, emphasizing the limited scope of the exposure.

However, the board felt this was a “significant enough breach that we had to make a public statement about it, become accountable to it,” he explained.

The software that fostered the vulnerability is called Kentico.

“It’s questionable whether we will continue to license this software,” Robulack said.

The board is also reconsidering future use of the “library” feature.

This is the first time the board has experienced an online privacy breach.

It has an extensive privacy program in place, according to Robulack, and “we do deal with privacy breaches – I wouldn’t say frequently, but they occur on a regular basis.”

However, they’re more in the line of business operations, he said, such as faxing claimant medical information to the wrong doctor.

Any time privacy is compromised, the board responds with standard breach protocol.

That includes notifying affected parties, taking corrective action, and looking to future prevention.

The board wants to institute IT system-wide audits, like the one that identified the software vulnerability, on a regular basis.

“We regret this event, there’s no other way to say it,” Robulack said.

“And it’s leading us already to work harder than we already do to protect the privacy and confidentiality of every person who interacts with us as an organization.”

Comments (1)

Up 1 Down 1

Juniper Jackson on Mar 9, 2018 at 11:03 pm

Is there anyone left that thinks they have privacy? It's tax time.. and I am reminded of Pasloski ordering the tax information on everyone in the Territory for 2 years.. what was he going to do with that information? Snooping through everyone's finances? One of my neighbors can access all of my health records.. yup.. privacy..is just another word..doesn't mean a damned thing... BTW.. anyone know what Silver is up to regarding Yukon taxpayers? Whatever it is..it can't be good.

"There is no risk that any personal, financial, sensitive or confidential information was accessed as a result of this breach,” according to the board." Yup..not a chance..LOLOL

Add your comments or reply via Twitter @whitehorsestar

In order to encourage thoughtful and responsible discussion, website comments will not be visible until a moderator approves them. Please add comments judiciously and refrain from maligning any individual or institution. Read about our user comment and privacy policies.

Your name and email address are required before your comment is posted. Otherwise, your comment will not be posted.