The names of 285 people referred to the Family and Child Services of Lanark, Leeds and Grenville from April to November 2015 had their names revealed on Facebook Monday in what the organization is calling a hack.
The organization found out about the alleged hack around 2:00 p.m. Monday, April 18, 2016, when a link to a confidential report on client intake was posted to the Smiths Falls Swapshop Facebook page. The group is closed to about 11,000 members. A client who was named in the report as well as a community member brought the post to the FCSLLG's attention.
"We suspect it was a hack. It might not have been a sophisticated one," says Ray LeMay, the organization's executive director.
"It could have been that the (website's) security wasn't very good on our side. And I suspect that is the case," he adds.
Lemay admits the report was on the FCSLLG's website but says it was hidden behind several layers of security including a password given only to the organization's board of directors.
"You have to go through the back door. You have to be looking for this," he says.
This is the second time in about three months that the organization has had to take down its website because of security concerns. An outside expert was brought in after a February scare to better secure the website. No sensitive information was revealed or even in danger in the first breach, Lemay says. He says they made the changes and were told the website was secure.
But a woman, who CTV cannot name because she has been involved with children's aid, says the link to the report was publically available. She says she found the link in several locations online and thought it was like all the other FCSLLG documents on its website.
"I had seen this type of stuff before, like budgets," the woman says. "All of that stuff would be public. I thought maybe this was supposed to be public, too."
"It wasn't hacked. It was absolutely wasn't hacked. Anyone on Swapshop that day was able to get it because it was public," she adds.
The woman says she hoped the link would serve as a cautionary tale; as a warning to other parents about the information available on the website.
"If that kind of stuff is online willy nilly like that it makes me wonder how information like that within the office is kept," she says.
Lemay says the report in question is not "typical" of the work FCSLLG does or the documentation it keeps. He also says the organization has no reason to believe any of its other clients had their personal information compromised.
“There is a certain amount of stigma to the information we provide and people don't necessarily want to be identified so there is an added level of privacy you need to,” he says.
In light of this embarrassment, Lemay says his team is calling every person on the list to offer their condolences and sincere apologies. The team of about 14 people is also telling their clients about their options: talk to the privacy commissioner or consult a lawyer.
Publishing or revealing the names of people involved with the Children's Aid Society is a crime. Successful convictions can result in thousands of dollars in fines and even jail time.
Police in Smiths Falls and with the Ontario Provincial Police are investigating.
The website has been taken down while experts help the FCSLLG improve its security. This branch of children's aid says it is reviewing its policies when it comes to sensitive information and how it handles such documents.