Passport Canada web security flaw fixed; Privacy watchdog probes how applicants could view personal data of others

• Ottawa Citizen
• Windsor Star
PUBLICATION: Edmonton Journal
DATE: 2007.12.05
BYLINE: Andrew Mayeda
SOURCE: Ottawa Citizen; CanWest News Service


Passport Canada web security flaw fixed; Privacy watchdog probes how applicants could view personal data of others


OTTAWA - Foreign Affairs Minister Maxime Bernier assured the Canadian public Tuesday that a "serious" privacy breach at Passport Canada's website had been fixed, even as the office of the federal privacy commissioner promised to investigate the matter.

Passport Canada acknowledged Tuesday that individuals applying for passports online were able to view the personal information of other applicants.

The breach occurred in the fifth step of the application, where individuals are asked to provide supporting documentation, such as a birth certificate, driver's licence or social insurance number. Applicants also must provide contact details -- including name, address and phone numbers -- or two references and an emergency contact.

Users could view other applicants' information by changing one character in the Internet address on their web browser.

Fabien Lengelle, a Passport Canada spokesman, said the agency believes the breach was an "isolated anomaly.

"We've looked at it and we've resolved the issue. So it's no longer possible for a user to get applicant information through Passport Online," he said, referring to the site where individuals can apply for passports online.

In the House of Commons, New Democrat MP Brian Masse called on Bernier to apologize to Canadians who had their privacy "violated." But Bernier said he spoke with Passport Canada officials Tuesday morning and had been assured the problem was fixed.

"The website of Passport Canada is now one of the most secure," Bernier told the House.

Lengelle said the agency was reviewing its logs to determine how many accounts had been viewed by unauthorized individuals since the problem began last week.

He noted that Passport Online is a "temporary gateway" and does not include all personal information in the agency's database.

"When a passport has been issued, the information is deleted," said Lengelle.

However, a spokesman for federal privacy commissioner Jennifer Stoddart said her office was "concerned" by the breach.

"What we naturally expect from any organization, whether it's private or public, is that they take steps to correct that kind of situation right away," said spokesman Colin McKay.

Investigators for the privacy watchdog had contacted Passport Canada on Tuesday to discuss the breach. The privacy commission also plans to raise the issue in its "regularly scheduled" audit of Passport Canada, which is already underway, McKay said.

The breach was discovered this week by an IT specialist from Huntsville, Ont., who was completing his passport application online when he noticed that other applicants' data could be accessed by changing the Internet address.