[ISN] Passport applicant finds massive privacy breach

From: InfoSec News (alerts@private)
Date: Tue Dec 04 2007 - 22:20:20 PST


http://www.theglobeandmail.com/servlet/story/RTGAM.20071204.wpassport1204/BNStory/National/home

By Kenyon Wallace
Globe and Mail
December 4, 2007

A security flaw in Passport Canada's website has allowed easy access to 
the personal information - including social insurance numbers, dates of 
birth and driver's licence numbers - of people applying for new 
passports.

The breach was discovered last week by an Ontario man completing his own 
passport application. He found he could easily view the applications of 
others by altering one character in the Internet address displayed by 
his Web browser.

"I was expecting the site to tell me that I couldn't do that," said 
Jamie Laning of Huntsville. "I'm just curious about these things so I 
tried it, and boom, there was somebody else's name and somebody else's 
data."

That data included social insurance numbers, driver's licence numbers 
and addresses.

Also available were home and business phone numbers, a federal ID card 
number and even a firearms licence number.

"This is exactly how identity theft happens," said Carlisle Adams, an 
Internet data security expert and professor at the University of Ottawa. 
"If you want to take out a mortgage, for example, this is the type of 
information the bank is going to ask for to make sure you're really the 
person you're claiming to be. Then all of a sudden there's a mortgage in 
someone else's name."

Mr. Laning, 47, an IT worker at Algonquin Automotive, informed Passport 
Canada of the breach last week and the passport application site was 
suspended through yesterday morning.

Passport Canada spokesman Fabien Lengelle acknowledged that a security 
breach occurred but said that it was repaired on Friday. Yesterday's 
closing of the website was caused by "problems of a different nature," 
he said

"We've probed this issue today very thoroughly," Mr. Lengelle said. 
"This incident is an isolated anomaly. The online passport system is 
still a very highly secure application."

But after the website resumed operation yesterday afternoon, a few 
keystrokes sufficed to reveal some of the personal information of 
passport applicants, including names, addresses and numbers for 
references and emergency contacts.

"That's a concern because obviously there's a weakness in their system 
that exposes valuable personal information to viewing by people," said 
Colin McKay, a spokesman for the office of the federal Privacy 
Commissioner of Canada.

"It's always a concern for us when agencies don't take all the security 
measures they can, especially an agency like Passport Canada that deals 
with basic documents."

Jason Marsden, a Brampton resident whose social insurance and driver's 
licence numbers were accessed by Mr. Laning, said he was "totally 
surprised" to learn that his personal information was so readily 
available.

"If you read the disclaimer on the website, it's supposed to use 
high-tech security," Mr. Marsden said in an interview. "You'd think it 
wouldn't be that bloody simple."

The Passport Canada website states the federal agency is "committed to 
respecting the privacy of individuals who visit our Web site."

The security breach follows two significant events concerning personal 
information. On Nov. 21, Justice Minister Rob Nicholson introduced 
legislation making it an offence to obtain, possess or traffic in 
people's identity information for the purposes of committing a crime. 
Just two days earlier, Britain's tax and customs service announced it 
had lost disks containing banking and personal data of 25 million 
people.

Canadian law does not require organizations to disclose when they've 
suffered security breaches. In the United States the majority of states 
have enacted legislation requiring organizations to disclose security 
breaches within a specified period of time.

"I think it's very clear that a strong, mandatory security-breach law is 
long overdue in this country and it's cases like these that highlight 
it," said Michael Geist, a law professor at the University of Ottawa.

"The reality is, even with the resources and the best security people, 
you're only as good as your weakest link," Prof. Geist said. "One 
mistake can result in significant security breaches that can put huge 
amounts of personal information at risk."


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Tue Dec 04 2007 - 22:28:44 PST