By Kenyon Wallace
Globe and Mail
December 5, 2007
Passport Canada says that a security breach in its passport application
website that allowed easy access to the personal information of
applicants has been repaired.
"We're definitely looking into how this happened, but right now, it's
fixed," said Fabien Lengelle, a spokesman for Passport Canada. "We are
very committed to security and we would like to reassure the Canadian
public that passport online is a secure application."
Mr. Lengelle added that the personal information of applicants is never
However, an Ontario man applying online for a passport last Thursday
discovered he could access personal information - such as social
insurance numbers, birthdates and driver's licence numbers - of other
applicants by altering one character in the Internet address displayed
by his Web browser.
Passport Canada shut the website down on Friday, but when it was
reopened on Monday afternoon, the personal information of applicants
could still be accessed. In November, 29,000 people entered their
personal data into the website, according to Mr. Lengelle.
During Question Period yesterday, Foreign Affairs Minister Maxime
Bernier told the House of Commons that he spoke with Passport Canada CEO
Grard Cossette and was assured that the security problem had been fixed.
"Now the Internet site of Passport Canada is one of the most secure,"
Mr. Bernier said.
The security breach discovery comes in the midst of an audit of Passport
Canada's handling of personal information. The audit, undertaken by the
office of the federal Privacy Commissioner in the fall, is examining
whether the federal agency is meeting its obligations under the Privacy
Colin McKay, a spokesman for the Privacy Commissioner, said the audit
will now include the website security breach.
Mr. McKay said Privacy Commissioner Jennifer Stoddart would not comment
on the security flaw until she received more information from
The passport application website, launched in January, 2005, uses a
combination of policy and technology - called Public Key Infrastructure
- that is supposed to provide secure online working environments. To
apply for a passport online, users must obtain an e-pass that allows
access to services with enhanced security. The e-pass Canada website
states that session cookies - small pieces of data specific to an
applicant's computer that are exchanged with the website - may be
But cookies are not the best way to ensure security, says Carlisle
Adams, an Internet data security expert and professor at the University
"People can hijack cookies from other people's sessions or someone could
log on to somebody else's browser through a virus or by physically using
their computer," Mr. Adams said. "It's not foolproof security by any
Identity theft in Canada is on the rise, fuelled in part by advances in
technology, according to Inspector Barry Baxter, officer in charge of
counterfeit and identity fraud with the RCMP.
Insp. Baxter said personal information is usually stolen to obtain goods
and services under someone else's name, or to assume someone else's
"You can submit false applications, apply for credit cards, apply for
health services, and all those kinds of services that require you to
identify yourself," Insp. Baxter said.
Combatting identity theft is especially difficult because the crime is
global, he added. "There's a different scam every minute of the day."
The federal government is considering implementing legislation that
would require private sector organizations to disclose security
breaches. On Nov. 21, Justice Minister Rob Nicholson introduced
legislation making it an offence to obtain, possess or traffic identity
information for the purposes of committing a crime.
Major security breaches
The following are major security breaches in 2007:
January: TJX Cos., parent company of retail outlets Winners and
HomeSense, told the public that computer hackers may have up to two
million Canadian credit card numbers.
January: CIBC subsidiary Talvest Mutual Funds lost a computer file with
account information for 470,000 customers while in transit between
April: A computer disc containing social security numbers, addresses,
and birthdates of almost three million patients went missing from
Affiliated Computer Services, a private contractor handling health-care
claims for the Department of Community Health in Atlanta.
August: Monster.com announced that hackers broke into the U.S. online
recruitment site's password-protected library and stole the personal
information of at least 1.3 million job seekers.
September: Contact information for more than 6.3 million customers of
the Omaha-based online brokerage firm TD Ameritrade Holding Corp. was
stolen after a company database was hacked.
November: Britain's tax and customs service announced it lost disks
containing banking and personal data of 25 million people.
Visit InfoSec News