Massive, unfixed security flaw at Passport Canada

pasaportWe just learned about a very serious security flaw in the Passport Canada website accepting online applications. Other people's information can be easily accessed by simply applying for a passport and then altering characters in your browser's address bar. The flaw was discovered by Jamie Laning, an IT worker at Algonquin Automotive, in Huntsville, Ontario. The available data includes SINs, driver's licence numbers, mailing addresses, business and phone numbers, federal ID card numbers and even a firearms licence number. Says Carlisle Adams, professor at U of O:

This is exactly how identity theft happens. If you want to take out a mortgage, for example, this is the type of information the bank is going to ask for to make sure you're really the person you're claiming to be. Then all of a sudden there's a mortgage in someone else's name.
Although Mr. Laning alerted Passport Canada of the problem last week and the site was suspended through yesterday, the problem has not been fixed, despite Passport Canada's claim to the contrary. While the security flaw in itself is not the most terrible thing, it is deeply unsettling to learn that Passport Canada was unable to fix it within one week, that it deceptively claimed it fixed it and that Canadian law does not even require disclosure of privacy breaches. This means that there may be many more security breaches that happen but we do not know about them, unless somebody makes a FOF request.
The security breach follows two significant events concerning personal information. On Nov. 21, Justice Minister Rob Nicholson introduced legislation making it an offence to obtain, possess or traffic in people's identity information for the purposes of committing a crime. Just two days earlier, Britain's tax and customs service announced it had lost disks containing banking and personal data of 25 million people.

Canadian law does not require organizations to disclose when they've suffered security breaches. In the United States the majority of states have enacted legislation requiring organizations to disclose security breaches within a specified period of time.
"I think it's very clear that a strong, mandatory security-breach law is long overdue in this country and it's cases like these that highlight it," said Michael Geist, a law professor at the University of Ottawa.
This is not the first negative media report to hit Passport Canada. Only a couple of months ago, Canadian Press issued the following:
Passport Canada is reporting continued long delays in processing mailed-in passport applications, despite a streamlined renewal process and hundreds of new employees. And there is concern those delays will only get longer as the busy winter travel season approaches.It now takes a minimum of six weeks to get a passport through the mail; two weeks longer than the agency's benchmark of four weeks.
And that doesn't include the time it takes to get applications and documents through Canada Post.
The way our secretive, inept government works, we would not be surprised if Mr. Laning would be charged with terrorism. It is much easier to find a scapegoat than hiring a knowledgeable IT security firm and have the problem fixed.

UPDATE: Brian Masse (NDP) raised this issue in Question Period and Minister Maxime Bernier was told by CEO GĂ©rard Cossette that the website is now "among the most secure".
IT Business published an article citing concerns that the privacy breach will lead to ID theft.

Source: Passport applicant finds massive privacy breach, Globe and Mail

blog comments powered by Disqus
Your gift enables us to continue to provide high quality reporting with little or no advertising.