On Monday April 18th 2016 it was discovered that a link to a confidential electronic file from the Family and Children’s Services of Lanark, Leeds and Grenville website was posted publically on the Smith’s Falls Swapshop Facebook page.
This link directed people to a file that contained the confidential information from 285 families that are currently involved with the agency.
Police are currently investigating this as what the FACS calls a “security breach”.
The issue is that the FACS and the mass media appear to be intentionally misleading the public into believing that this was some sort of an illegal attack on their website when the reality is much different.
The link in question that was posted on Facebook on Monday was actually a direct link from the fcsllg.ca WordPress website that was improperly uploaded in a way that it was not password protected and therefore could have been found in any number of ways including a careful google search.
The least likely of ways that this link could have been found would have been by way of some sort of illegal hacking.
The truth of the matter is that this is unlikely to have been some sort of illegal attack but rather due to the FACS’s lack of understanding on how the security of a WordPress webpage works. The file in question was insecurely posted to the fcsllg.ca without password protection but as there where likely no hyperlinks on the public webpage, it was assumed that this file was secure. Then this file was most likely picked up by Google and could have been found for the world to see.
The next issue is the assumption by the FACS that this was most likely some sort of “Disgruntled Client” that hacked into their system and posted this file to hurt their agency. So far there is no evidence whatsoever to back this up.
This whole situation no matter how unfortunate, appears to be a clear mistake at the hands of the FACS to keep highly sensitive confidential information safe but they are doing their very best to deflect the blame from themselves and place that blame on whoever most likely stumbled on the link through Google or another search engine.
This is also not the first time this has happened. Several groups such as Canada Court Watch and the Ontario Citizens for Accountability have made public in recent times several hidden links found in Google searches of the Ontario Association of Children’s Aid Societies website. One of which contained the links to over 50 private OACAS webinars that were intended for staff only but now are being posted on YouTube not due to illegal hacking, but rather due to the OACAS’s lack of knowledge of internet security when they posted this information without password protection.
What really needs to be done here is not prosecuting a person who stumbled on a link. Instead, these agencies require better training for staff that operate and publish to these sites on how to better maintain security so that mistakes like these stop happening with sensitive information.