2016/2026: How a Children’s Aid Society Left Vulnerable Families Exposed to the World

W5 Investigates: How a Children's Aid Society Left Families Exposed

An investigative reconstruction — The difference between a portal and a public website

📌 PROLOGUE: A Board Portal That Wasn’t

In the world of child welfare, privacy isn’t just policy—it is a legal and moral obligation.

But what happens when an organization entrusted with protecting vulnerable children allegedly "mistakes" a public website for a secure internal system?

An investigation into the Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG) revealed that highly sensitive case information was stored on a publicly accessible WordPress website—without password protection.

The consequences were severe: a $75 million class-action lawsuit, a $5 million settlement, and a court ruling that denied the organization insurance coverage.

📄 CanLII: 2021 ONSC 3310 – Settlement approval and background

At the center of the failure lies a basic question the organization did not answer:

What is the difference between the Internet, an Intranet, and an Extranet?

📡 PART 1: The Three Networks – A Primer Many Organizations Miss

According to standard industry definitions:

  • Internet: A global network connecting millions of computers. It is public and accessible to anyone.
  • Intranet: A private internal network accessible only to an organization’s staff.
  • Extranet: A controlled extension of an intranet that allows authorized external users access through authentication.

Reference: Blink – Intranet, Extranet, Internet differences

A properly designed board portal must operate on intranet or extranet principles.
FCSLLG did not.

🔓 PART 2: The “Board Portal” That Wasn’t

In 2016, confidential documents appeared on public Facebook pages. The organization claimed it had been hacked.

Court evidence showed otherwise.
IT specialist David Schmidt testified that the “portal” was simply a WordPress page.

  • No login.
  • No authentication.
  • No protection.

A judge ruled the whistleblower had done nothing wrong: The information was publicly available.

📰 Source (background reporting): Conspiranon – Family and Children’s Services of Lanark
🗞️ Ottawa Citizen reporting: CAS whistleblower acquitted — Gary Dimmock, Ottawa Citizen

⚠️ PART 3: Why WordPress Was the Wrong Tool

Security data shows:

~90%
of hacked CMS sites are WordPress
4.3%
Joomla
3.7%
Drupal

🔥 Zero‑day exploit reporting:
Dark Reading – 1M+ WordPress sites hacked via zero‑day plugin bugs

🛡️ PART 4: What a Real Board Portal Requires

A proper system includes:

  • Encryption (AES-256, RSA 4096)
  • Granular access controls
  • Multi-factor authentication
  • Audit logging
  • Remote wipe

Advanced systems include:

  • SIEM monitoring (Security Information and Event Management)
  • Centralized logging
  • Hardware Security Modules (HSMs)
✔️ These were not implemented by FCSLLG.

⚖️ PART 5: The Lawsuit and Settlement

A class-action lawsuit sought $75 million.

The case settled for $5 million in 2021.

🏛️ PART 6: The Insurance Denial

The insurer, Co‑operators General Insurance Company, denied coverage based on an exclusion for data distributed via an internet website.

Ontario Court of Appeal ruling:
Family and Children’s Services of Lanark, Leeds and Grenville v. Co‑operators, 2021 ONCA 159 (CanLII)

Case analysis:

❌ PART 7: Why the Claim Failed

Common denial reasons that applied directly to FCSLLG:

  • Inadequate security (no password, no encryption)
  • Failure to take reasonable precautions (using a public WordPress site)
  • Policy exclusions (explicit “internet website” clause)
  • Misrepresentation of systems (calling a public website a “private portal”)

Source: Daxtech – Will your cybersecurity insurance claim be denied?

📅 PART 8: A Second Breach

A second data breach occurred in 2024 — again involving the same organization.

Report:
DataBreaches.net – “I am deeply troubled”: Data breach impacts clients at Lanark County family services organization (Feb 16, 2024)

By Austin Lee, CTV News Ottawa  |  Published: February 14, 2024 at 6:44PM EST

📖 EPILOGUE: The Difference That Matters

A secure system requires:

  • Authentication
  • Controlled access
  • Monitoring
  • Encryption

This system had none.

The court concluded:
“There was no hacking. The information was publicly available.”

🔚 FINAL WORD

This was not a cyberattack.
No defenses were bypassed—because none were meaningfully in place.

Sensitive data was placed on a public system and left exposed.

The result was predictable.
And avoidable.

‘I am deeply troubled’: Data breach impacts clients at Lanark County family services organization
By Austin Lee
Published: February 14, 2024 at 6:44PM EST

📚 All source links embedded above. Investigative summary based on court records, security research, and insurance reports (2016–2026).
© W5-style reconstruction — for educational and journalistic reference.

Popular posts from this blog

THE GOLDEN BALLROOM/BUNKER

Image
Ben Meiselas reports on the shocking admission by Donald Trump’s DOJ in a court case where the DOJ admits to a secret project underneath the ballroom which they claim is needed to protect Donald Trump’s life for “national security purposes.” "You unlock this door with the key of complicity. Beyond it is another dimension — a dimension of betrayal, of indulgence, of fear. You’re moving into a land of both shadow and substance, of politics and paranoia. You’ve just crossed into… the MAGA Zone." "Tonight’s story: A leader sworn to protect his nation makes a bargain with its enemies. The deal? Silence in the face of nuclear annihilation. No retaliation, no defense — only surrender dressed in secrecy. While citizens live unaware, their president builds a palace beneath the earth, a ballroom of gold, of marble and chandeliers, a masquerade hall for billionaires. But behind the gilded doors lies not music and laughter, but a bomb shelter — a sanctuary for the few, pur...
Read more

Conceptual Summary #2: (∂t2​S−c2∇2S+βS3)=σ(x,t)⋅FR​(C[Ψ])

Image
The tests designed to find the Aether—principally the Michelson-Morley experiment (M-M)—would be largely ineffective at detecting the fundamental S field (Substrate) in the Reactive Substrate Theory (RST) framework, though their null results are highly compatible with RST's structure. The reason lies in the distinct conceptual definition and behavior of the two media. The Test: Michelson-Morley and the Aether. The M-M experiment was designed to detect the "aether wind," a predicted change in the speed of light caused by the Earth's motion relative to a stationary, rigid medium—the classical Luminiferous Aether. Classical Aether: A static, absolute reference frame; an elastic, passive, material-like medium that fills space and serves as a carrier for light waves. Predicted Result: Light traveling parallel to Earth's motion through the Aether should be slightly slower than light traveling perpendicular to it. Actual Result (Null Result): No significant differenc...
Read more

ICE PROUDLY ANNOUNCES NEW “ELITE” TASK FORCE COMMANDER JEREMY DEWITTE

Image
For Immediate Release OFFICE OF STRATEGIC SUPPRESSION & DESPERATE RECRUITMENT U.S. IMMIGRATION AND CUSTOMS ENFORCEMENT (ICE) SUBJECT: ICE PROUDLY ANNOUNCES NEW “ELITE” TASK FORCE COMMANDER JEREMY DEWITTE; AGENCY TO ADOPT FULL “MOTOR ESCORT” DOCTRINE BY Q3 WASHINGTON, D.C. — In a historic moment that experts are calling “a cry for help” and insiders are calling “Tuesday,” U.S. Immigration and Customs Enforcement (ICE) has officially appointed Jeremy Dewitte as National Coordinator of the newly created Tactical High-Visibility Fallujah Squadron & Escort Wing (T.H.V.F.S.E.W.) . This appointment follows a PBS NewsHour report highlighting ICE’s bold new hiring strategy: removing every meaningful hiring standard. After eliminating outdated requirements such as "must not be a professional police impersonator," "must possess a valid driver's license," and "must not be a registered sex ...
Read more