If anyone deserves to go to jail in this case, it's the contractor that took government money to implement a system that relies on security through obscurity when they knew that sensitive documents may be stored in it, and then screwed that up further by allowing documents to be accessed through nothing more than incremented IDs. It should be a basic premise of the law at this point in all civilized countries that if you can access a document by submitting a normal HTTP request with no authorization headers or cookies, then the server's owners intended that document to be public.
Or the low paid government employee who didn't bother to read security documentation and uploaded private documents to a system intended only for public documents.
"It’s very clear that the software is intended to serve as a public repository of documents. It’s also very clear that there at least 250 documents improperly stored there by the province. Documents that the province had a responsibility to protect, and failed."
