By Kenyon Wallace
Globe and Mail
December 4, 2007
A security flaw in Passport Canada's website has allowed easy access to
the personal information - including social insurance numbers, dates of
birth and driver's licence numbers - of people applying for new
The breach was discovered last week by an Ontario man completing his own
passport application. He found he could easily view the applications of
others by altering one character in the Internet address displayed by
his Web browser.
"I was expecting the site to tell me that I couldn't do that," said
Jamie Laning of Huntsville. "I'm just curious about these things so I
tried it, and boom, there was somebody else's name and somebody else's
That data included social insurance numbers, driver's licence numbers
Also available were home and business phone numbers, a federal ID card
number and even a firearms licence number.
"This is exactly how identity theft happens," said Carlisle Adams, an
Internet data security expert and professor at the University of Ottawa.
"If you want to take out a mortgage, for example, this is the type of
information the bank is going to ask for to make sure you're really the
person you're claiming to be. Then all of a sudden there's a mortgage in
someone else's name."
Mr. Laning, 47, an IT worker at Algonquin Automotive, informed Passport
Canada of the breach last week and the passport application site was
suspended through yesterday morning.
Passport Canada spokesman Fabien Lengelle acknowledged that a security
breach occurred but said that it was repaired on Friday. Yesterday's
closing of the website was caused by "problems of a different nature,"
"We've probed this issue today very thoroughly," Mr. Lengelle said.
"This incident is an isolated anomaly. The online passport system is
still a very highly secure application."
But after the website resumed operation yesterday afternoon, a few
keystrokes sufficed to reveal some of the personal information of
passport applicants, including names, addresses and numbers for
references and emergency contacts.
"That's a concern because obviously there's a weakness in their system
that exposes valuable personal information to viewing by people," said
Colin McKay, a spokesman for the office of the federal Privacy
Commissioner of Canada.
"It's always a concern for us when agencies don't take all the security
measures they can, especially an agency like Passport Canada that deals
with basic documents."
Jason Marsden, a Brampton resident whose social insurance and driver's
licence numbers were accessed by Mr. Laning, said he was "totally
surprised" to learn that his personal information was so readily
"If you read the disclaimer on the website, it's supposed to use
high-tech security," Mr. Marsden said in an interview. "You'd think it
wouldn't be that bloody simple."
The Passport Canada website states the federal agency is "committed to
respecting the privacy of individuals who visit our Web site."
The security breach follows two significant events concerning personal
information. On Nov. 21, Justice Minister Rob Nicholson introduced
legislation making it an offence to obtain, possess or traffic in
people's identity information for the purposes of committing a crime.
Just two days earlier, Britain's tax and customs service announced it
had lost disks containing banking and personal data of 25 million
Canadian law does not require organizations to disclose when they've
suffered security breaches. In the United States the majority of states
have enacted legislation requiring organizations to disclose security
breaches within a specified period of time.
"I think it's very clear that a strong, mandatory security-breach law is
long overdue in this country and it's cases like these that highlight
it," said Michael Geist, a law professor at the University of Ottawa.
"The reality is, even with the resources and the best security people,
you're only as good as your weakest link," Prof. Geist said. "One
mistake can result in significant security breaches that can put huge
amounts of personal information at risk."
Visit InfoSec News