Security holes left justice database vulnerable to gangsters
Serious security flaws uncovered in B.C.'s criminal justice computer system could have let gangsters hack into a gold mine of sensitive information they could use to intimidate witnesses or otherwise thwart prosecutions.
The weaknesses in the JUSTIN case-tracking database were made public Jan. 24 by Auditor General John Doyle after a delay of several weeks at the province's request to allow time to plug some of the holes.
Doyle found there were inadequate controls in place to keep "motivated" criminal attackers from gaining sensitive information.
Thousands of people, both government employees and contractors, had too easy access to information that should never fall into the wrong hands – such as witness contact information and details of police investigations, including what witnesses are expected to say when they testify.
NDP justice critic Leonard Krog said the audit suggests organized crime figures could easily have gained information to help them defeat court proceedings against them.
Identities of police informants were just some of the information that was at risk, he said.
"Fighting a criminal case against organized crime is warfare," Krog said. "I think you have to assume this is just as serious as the Auditor General suggests and as serious as one could imagine."
Doyle also found there was "very little chance" government would ever discover any unauthorized access had happened or who the intruders were.
Justice Minister Shirley Bond said the government is acting on the more than 100 recommendations and that significant security risks in JUSTIN have been addressed.
"The ministry has tightened access to sensitive information, enhanced security controls, and put in place new monitoring capabilities," she said, adding a project team is in place to work with the auditor to address remaining gaps.
The government has blocked direct access from non-government computers, stepped up screening of contractors with access to JUSTIN and now requires use of more complex passwords.
In 2008, a previous audit flagged weak controls in the corrections case management system.
Doyle said those earlier recommendations should have spurred government to fix the justice case system years earlier.