Due to security lapse, personal data including driving licence, photos etc. of hundreds of thousands of users of Vaccine passport app Passportpass was exposed to the members of public. The information of the users of the app was accessible for more than one hour.
It has been verified by CBC that names, email addresses, phone numbers, birthdays, as well as photos of identification like driver’s licenses and passports can easily be accessed by reviewing dozens of users’ profiles. The information was unencrypted and was viewable in simple text. The CEO of Passportpass, however, denied that the app had security issues.
The portpassportal.com web app which has about 650,000 users in Canada, was down that evening and users of the app were getting error message when trying to access it.
CEO Mr. Hussein said that the breach only lasted for minutes but CBC claimed it had reviewed the personal information for more than an hour. It remains unknown how long the breach lasted until security lapse was exposed. The CEO admitted there are holes and that there was a need to fix the issues, He said they were trying to locate the problem and find out why it exists in the first place.
The CEO said data has been removed and his development team is investigating. His claim that only those who were awaiting verification were affected, could not be verified.
One researcher insists that he was least surprised to hear about this episode because the error lies in ignoring the advice of cybersecurity experts who constantly warn against liberal use of third party apps. If the data is not stored properly, not encrypted and accessed by unknown and unidentified persons then the organization is exposed to threats and risks. Fraud, identity theft, ransomware and several other issues can make life difficult anytime anywhere.
Earlier, Portpass CEO Mr. Hussein spoke with a radio and said the servers were turned off to perform a security audit. In the interview, he did not mention about the exposure of personal information of its users.
The Calgary Sports and Entertainment Corporation (CSEC), which owns the NHL’s Calgary had recommended the Calgary-based app Portpass for ticket holders to prove their COVID-19 vaccination status to enter the arena.
Before the discovery of security lapse, CSEC said it was aware of concerns raised about the app and was working with the app’s developer. After the publication of article, CSEC withdrew the recommendation for the app from the website.
President of The Privacy and Access Council of Canada, Sharon Polsky, advised all those whose personal information may have fallen into wrong hands to notify the office of the Privacy Commissioner. She believed that the company is responsible for protecting data that belongs to the people. If Portpass does not have the facilities
“Will they conduct a forensic audit and bring in a third-party independent auditot to look into the matter and find out where the has occurred. Mr. Hussein has given assurance that his company will notify the offices of the Federal Privay Commissioners.
The Alberta privacy commissioner office said that it has not received a report, and said it is asking Portpass to notify the individuals if there exists risk of harm to them and to report the incident to its office. The incident was also not reported to the federal privacy commissioner which is seeking information in order to determine future line of action, He is also in contact with the provincial commissioner,
On Sunday, Conrad Yeung, a local web developer, had questioned on social media whether the app was accurately verifying vaccination information and CBC News had contacted the company to ask for a response.
The Portpass app was facing technical difficulties and was not accurately showing vaccination status and information but The CEO said the it was due to overloading of the server as a result of influx of users going to hockey game.
Alberta province does not have an app for proof-of-vaccination, and its record on PDF record has been criticized as it is easily editable.
Portpass users use the app in the absence of government app and many of them are scared to know that their personal data is at risk of being exposed to unauthorized access.