On Monday evening, CBC News was informed that user profiles on the app’s website are available for viewing by members of the public. CBC does not share how to access these profiles, in order to protect users’ personal information, but has verified that email addresses, names, blood types, phone numbers, birthdays, as well as identity photos such as driver’s licenses and passports can easily be viewed by reviewing dozens of user profiles.
The information was not encrypted and could be viewed in the clear.
Earlier today, the CEO of the Calgary-based company, Zakir Hussein, denied that the app had any verification or security issues and accused those who worried about it of breaking the law.
CBC called Hussein on Monday evening and agreed to suspend publication of an article about the disruption until late Tuesday morning in order to give his team time to lock down the site and protect user information.
The portpassportal.com web app went offline that evening and mobile app users received “Network Error” pop-up messages if they attempted to download or edit information.
Hussein said Tuesday morning that the breach only lasted a few minutes, and repeated the claim when CBC pointed out that it had been reviewing personal information for more than an hour – and it is not clear how long the information was. were exposed before this information was received.
“Someone over there is trying to destroy us here, and we are trying to build something good for the people,” he said.
“There are holes, and what I realize is I think there are some things we need to fix here. And you know, we’re trying to catch up, I guess, and try to figure out where those holes are. “
The CEO said data had been pulled from the server and its developers were investigating. He said he believed only those awaiting an audit were affected, a claim CBC was unable to verify.
Hussein said Portpass has more than 650,000 registered users across Canada.
Security, privacy concerns
Cyber security analyst Ritesh Kotak said he was shocked but not surprised to hear that user information was exposed.
“These are exactly the privacy and security concerns that I’ve raised before when it comes to using third-party apps,” Kotak said. “You must be asking yourself, ‘Where is the data stored? Who has access to it? Are they encrypted? “… If that gets to the wrong people, it opens them up to fraud, identity theft, and a whole new world of potential trouble. “
Earlier Tuesday morning, Hussein spoke to 630 CHED radio and said the servers had been shut down to perform a security audit. He did not mention during this interview that users’ personal information had been exposed.
The Calgary Sports and Entertainment Corporation (CSEC), owner of the NHL’s Calgary Flames, recommended the Calgary-based app as a way for ticket holders to prove their COVID-19 vaccination status to enter the Scotiabank arena Saddledome.
The CSEC said in an emailed statement on Monday, before the security breach was discovered, that it was aware of the concerns raised about the app and was working with the developer of the app. . CBC has contacted CSEC for further comments.
“It seems like these are some really basic things that have been missed. I wonder why the Calgary Flames first said to go ahead and use this app… you have to do your homework, ”Kotak said.
Sharon Polsky, president of the Canadian Privacy and Access Protection Council, said those who fear their information has been compromised can notify the Office of the Privacy Commissioner. She said the company should have to answer tough questions about how long to access information and how many users have seen their data exposed.
“Will he conduct a forensic audit?” Will it bring in an independent third-party auditor, and not just someone from the company, to review it and say, “Yes, we had a problem? “,” Polsky said.
Hussein said his company would notify the offices of the federal and Alberta privacy commissioners.
The Office of the Privacy Commissioner of Alberta said in an emailed statement that it has yet to receive a report and said it is contacting Portpass to remind them that if there is a real risk of significant harm to those affected, an incident must be reported to the Commissioner and individuals must be notified.
Alberta does not have an official app
Conrad Yeung, a local web developer, asked on social media on Sunday whether the app was accurately verifying immunization information and CBC News reached out to the company to request a response.
Shortly after CBC contacted the company on Sunday, the app began to experience technical difficulties, but Hussein said the crash was due to an influx of users going to that night’s hockey game, overloading the server.
Alberta currently does not have an official proof of vaccination app, and the province’s PDF vaccine record has been criticized for being easy to edit.
Yeung had tested the Portpass app by uploading a photo of an actor as a passport photo and editing a fake vaccination record to display the actor’s name that the app verified to be legitimate.
However, earlier Monday, Hussein denied that the app validated Yeung’s fake information, although it appears to do so, as he said the fake photo would be a giveaway.
“This is not true. We saw it in the back and we were looking at it. So even if that user showed up, he wouldn’t be able to use that image because it’s not him. So you wouldn’t be able to enter. Second, this QR code, if someone scanned it, it would show this image again, ”he said at the time.
Hussein also said the security concerns Yeung raised about the app were false, and suggested he could contact authorities about his social media posts. He said he wished Yeung and others who publicly posted their concerns had contacted the company in private instead.
“Instead, he did this malicious behavior. That, you know, is not nice, ”he said.
Yeung said earlier Monday that he had no ill will towards the company, but just wanted to bring up the issues he spotted.
“I was trying to warn, I guess, the general public based on the vulnerabilities that I saw. Because at the end of the day, it’s personal information that people submit, ”he said.