http://www.theglobeandmail.com/servlet/story/RTGAM.20071205.wpassport05/BNStory/National/home By Kenyon Wallace Globe and Mail December 5, 2007 Passport Canada says that a security breach in its passport application website that allowed easy access to the personal information of applicants has been repaired. "We're definitely looking into how this happened, but right now, it's fixed," said Fabien Lengelle, a spokesman for Passport Canada. "We are very committed to security and we would like to reassure the Canadian public that passport online is a secure application." Mr. Lengelle added that the personal information of applicants is never stored online. However, an Ontario man applying online for a passport last Thursday discovered he could access personal information - such as social insurance numbers, birthdates and driver's licence numbers - of other applicants by altering one character in the Internet address displayed by his Web browser. Passport Canada shut the website down on Friday, but when it was reopened on Monday afternoon, the personal information of applicants could still be accessed. In November, 29,000 people entered their personal data into the website, according to Mr. Lengelle. During Question Period yesterday, Foreign Affairs Minister Maxime Bernier told the House of Commons that he spoke with Passport Canada CEO Grard Cossette and was assured that the security problem had been fixed. "Now the Internet site of Passport Canada is one of the most secure," Mr. Bernier said. The security breach discovery comes in the midst of an audit of Passport Canada's handling of personal information. The audit, undertaken by the office of the federal Privacy Commissioner in the fall, is examining whether the federal agency is meeting its obligations under the Privacy Act. Colin McKay, a spokesman for the Privacy Commissioner, said the audit will now include the website security breach. Mr. McKay said Privacy Commissioner Jennifer Stoddart would not comment on the security flaw until she received more information from investigators. The passport application website, launched in January, 2005, uses a combination of policy and technology - called Public Key Infrastructure - that is supposed to provide secure online working environments. To apply for a passport online, users must obtain an e-pass that allows access to services with enhanced security. The e-pass Canada website states that session cookies - small pieces of data specific to an applicant's computer that are exchanged with the website - may be used. But cookies are not the best way to ensure security, says Carlisle Adams, an Internet data security expert and professor at the University of Ottawa. "People can hijack cookies from other people's sessions or someone could log on to somebody else's browser through a virus or by physically using their computer," Mr. Adams said. "It's not foolproof security by any means." Identity theft in Canada is on the rise, fuelled in part by advances in technology, according to Inspector Barry Baxter, officer in charge of counterfeit and identity fraud with the RCMP. Insp. Baxter said personal information is usually stolen to obtain goods and services under someone else's name, or to assume someone else's identity. "You can submit false applications, apply for credit cards, apply for health services, and all those kinds of services that require you to identify yourself," Insp. Baxter said. Combatting identity theft is especially difficult because the crime is global, he added. "There's a different scam every minute of the day." The federal government is considering implementing legislation that would require private sector organizations to disclose security breaches. On Nov. 21, Justice Minister Rob Nicholson introduced legislation making it an offence to obtain, possess or traffic identity information for the purposes of committing a crime. Major security breaches The following are major security breaches in 2007: January: TJX Cos., parent company of retail outlets Winners and HomeSense, told the public that computer hackers may have up to two million Canadian credit card numbers. January: CIBC subsidiary Talvest Mutual Funds lost a computer file with account information for 470,000 customers while in transit between company offices. April: A computer disc containing social security numbers, addresses, and birthdates of almost three million patients went missing from Affiliated Computer Services, a private contractor handling health-care claims for the Department of Community Health in Atlanta. August: Monster.com announced that hackers broke into the U.S. online recruitment site's password-protected library and stole the personal information of at least 1.3 million job seekers. September: Contact information for more than 6.3 million customers of the Omaha-based online brokerage firm TD Ameritrade Holding Corp. was stolen after a company database was hacked. November: Britain's tax and customs service announced it lost disks containing banking and personal data of 25 million people. __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Thu Dec 06 2007 - 02:23:31 PST