Justice Minister Shirley Bond says security holes in a public crime database have begun to be addressed.Chad Hipolito/The Globe and Mail
More than one million police files that include deeply personal witness statements and some of British Columbia's most sensitive government information are stored in a shockingly accessible computer database that Auditor-General John Doyle likened to a virtual public library.
Mr. Doyle released an audit Thursday of the provincial database known as JUSTIN, which is designed to support the administration of criminal justice cases from start to finish.
The audit, "Securing The JUSTIN System," concluded the system is not adequately protected from internal or external threats, and led Mr. Doyle to question the quality of the Justice Ministry's information technology leadership and governance.
"It's almost like a public library," said Mr. Doyle in an interview. "You can walk in and you can look at any book in the library and read it if you want to and walk out and you don't have to give your name and address."
"That's what people could do with this system," he said. "As long as they had a library card or even if they were a member of the public, they had a right to be there and they could walk in and have a look at anything."
The audit stated there are more than 3,300 JUSTIN users with access to reports to Crown counsel at all levels of government – provincial, federal and municipal – in a system spread over hundreds of locations across B.C., including more than 200 provincial and federal sites, 15 municipal police agencies, and more than 150 RCMP detachments.
Included in the database, the audit stated, are sealed court files, details relating to youth cases and pardoned people. Also inside JUSTIN are reports to Crown counsel, details of police investigations, statements by witnesses, charge assessments and witness and victim contact information.
"Information in the JUSTIN system is not safe from individuals looking to gain access to it, and equally concerning, there is very little chance the ministry would ever know that unauthorized access had occurred," said the audit.
"While the availability of JUSTIN information is critical to the administration of justice in B.C., disclosure of this information to the wrong people could compromise personal safety and the integrity of the justice system."
Justice Minister Shirley Bond said the report is deeply concerning and she said the government moved quickly to ensure more security within the system.
Ms. Bond said her ministry has reduced by 800 the number of people who had access to the system.
Ms. Bond said she asked Mr. Doyle last December to delay his scheduled release of the audit until this month to give her ministry more time to introduce measures to protect the sensitive information.
The minister said she believed members of the public whose personal information may be contained within the database can feel safe their information is secure within the database.
"That's exactly why I asked the auditor-general not to release the report in December when he had planned to do that," said Ms. Bond in an interview. "I needed to be assured that we could put those measures in place before the report was made public."
Ms. Bond said in a statement the ministry has tightened access to sensitive information, and boosted security controls and monitoring.
A project team is also overseeing plans to address any remaining security gaps.
Mr. Doyle said he will continue to monitor the JUSTIN system over the next year and provide an update. JUSTIN was introduced in 2001.
Mr. Doyle's audit makes 100 recommendations, but only five were included in the report, because the report said the others are too sensitive to be included in a public document.
Mr. Doyle said he also handed the government a private report that contains the 100 recommendations.
The five recommendations in the audit released Thursday are: reconfigure JUSTIN's control system to ensure multiple security layers; make JUSTIN access on a "need-to-know" only basis; secure, manage and monitor classified information; install tools that can track users and detect suspicious and unauthorized use; and introduce a monitoring system that detects unauthorized access and removal of JUSTIN information.
Mr. Doyle said he and Ms. Bond spoke personally about the audit.
"She's not happy with this," he said, adding Ms. Bond said, "it will be fixed."
Mr. Doyle said British Columbians should be deeply concerned about the audit's findings.
"If I was a member of the public I would want very clear assurances that this mess is being fixed quickly, efficiently and that's it's never going to happen again," he said.
Opposition New Democrat justice critic Leonard Krog said the report is a shocking revelation of how vulnerable the Liberals left the protection of sensitive information.
"With the increase in gang violence, to think there may be criminals involved in gang activity who are getting access to confidential information that might prevent their successful prosecution, that's a really shocking concept," he said.
Mr. Krog said the government's record of the management of new information technology has been dismal and the JUSTIN system is the latest example.
"Not only can they not manage the popcorn stand, they would not even know when the popcorn stand had been raided and the popcorn was gone," he said.