Passport applicant finds massive privacy breach
KENYON WALLACE
From Tuesday's Globe and Mail
December 4, 2007 at 6:44 AM EST
A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports.
The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser.
"I was expecting the site to tell me that I couldn't do that," said Jamie Laning of Huntsville. "I'm just curious about these things so I tried it, and boom, there was somebody else's name and somebody else's data."
That data included social insurance numbers, driver's licence numbers and addresses.
Also available were home and business phone numbers, a federal ID card number and even a firearms licence number.
"This is exactly how identity theft happens," said Carlisle Adams, an Internet data security expert and professor at the University of Ottawa. "If you want to take out a mortgage, for example, this is the type of information the bank is going to ask for to make sure you're really the person you're claiming to be. Then all of a sudden there's a mortgage in someone else's name."
Mr. Laning, 47, an IT worker at Algonquin Automotive, informed Passport Canada of the breach last week and the passport application site was suspended through yesterday morning.
Passport Canada spokesman Fabien Lengelle acknowledged that a security breach occurred but said that it was repaired on Friday. Yesterday's closing of the website was caused by "problems of a different nature," he said
"We've probed this issue today very thoroughly," Mr. Lengelle said. "This incident is an isolated anomaly. The online passport system is still a very highly secure application."
But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts.
"That's a concern because obviously there's a weakness in their system that exposes valuable personal information to viewing by people," said Colin McKay, a spokesman for the office of the federal Privacy Commissioner of Canada.
"It's always a concern for us when agencies don't take all the security measures they can, especially an agency like Passport Canada that deals with basic documents."
Jason Marsden, a Brampton resident whose social insurance and driver's licence numbers were accessed by Mr. Laning, said he was "totally surprised" to learn that his personal information was so readily available.
"If you read the disclaimer on the website, it's supposed to use high-tech security," Mr. Marsden said in an interview. "You'd think it wouldn't be that bloody simple."
The Passport Canada website states the federal agency is "committed to respecting the privacy of individuals who visit our Web site."
The security breach follows two significant events concerning personal information. On Nov. 21, Justice Minister Rob Nicholson introduced legislation making it an offence to obtain, possess or traffic in people's identity information for the purposes of committing a crime. Just two days earlier, Britain's tax and customs service announced it had lost disks containing banking and personal data of 25 million people.
Canadian law does not require organizations to disclose when they've suffered security breaches. In the United States the majority of states have enacted legislation requiring organizations to disclose security breaches within a specified period of time.
"I think it's very clear that a strong, mandatory security-breach law is long overdue in this country and it's cases like these that highlight it," said Michael Geist, a law professor at the University of Ottawa.
"The reality is, even with the resources and the best security people, you're only as good as your weakest link," Prof. Geist said. "One mistake can result in significant security breaches that can put huge amounts of personal information at risk."
