Vaccine passport app Portpass may have exposed users' personal data like
drivers' licences and photos. CBC was able to access the photos on the
right that belong to users on the app. The IDs have been blurred to
protect those users' identities and information. (Portpass/CBC)
Private proof-of-vaccination app Portpass exposed personal
information, including the driver's licences, of what could be as many
as hundreds of thousands of users by leaving its website unsecured.
The portpassportal.com
web app was pulled offline that evening and users of the mobile app
were met with "Network error" pop-up messages if they attempted to
upload or modify any information.
Hussein said Tuesday morning
that the breach only lasted for minutes, and repeated that claim when
CBC pointed out it had reviewed the personal information for more than
an hour — and it's unknown how long the information was exposed before
that tip was received.
"Someone that's out there is trying to destroy us here, and we're trying to build something good for people," he said.
"There's
holes, and what I'm realizing is I think there are some things that we
need to fix here. And you know, we're trying to play catch-up, I guess,
and trying to figure out where these holes are."
The CEO said
data has been pulled from the server and his developers are
investigating. He said he believes only those who were awaiting
verification were affected, a claim CBC was unable to verify.
Hussein has said Portpass has more than 650,000 registered users across Canada.
Security, privacy concerns
Cybersecurity analyst Ritesh Kotak said he was shocked but not surprised to hear users' information was exposed.
"These
were exactly the privacy and security concerns I've previously raised
when it comes to using third-party apps," Kotak said. "You've gotta ask
yourself, 'Where's the data housed? Who has access to it? Is it
encrypted?'… If this gets out to the wrong individuals it opens them up
to fraud, identity theft and a whole other world of potential issues."
Earlier
on Tuesday morning, Hussein spoke with 630 CHED Radio and said the
servers were turned off to perform a security audit. He did not mention
during that interview that users' personal information had been
exposed.
The
Calgary Sports and Entertainment Corporation (CSEC), which owns the
NHL's Calgary Flames, had recommended the Calgary-based app as a way for
ticket holders to prove their COVID-19 vaccination status to enter the
Scotiabank Saddledome arena.
CSEC said Monday in an emailed
statement, before the security lapse was discovered, that it's aware of
concerns raised about the app and is working with the app's developer.
CBC has reached out to CSEC for further comment. On Tuesday, after this
article was published, CSEC pulled the recommendation for the app from the Flames' website.
"It
seems like these were some really basic things that were missed. I
question why the Calgary Flames in the first place said go ahead and use
this app … you gotta do your homework," Kotak said.
Sharon
Polsky, president of the Privacy and Access Council of Canada, said
those who fear their information may have been compromised can notify
the Office of the Privacy Commissioner.
She said the company should have to answer some hard questions about
how long the information was accessible and how many users' saw their
data exposed.
"Will they conduct a forensic audit? Will they
bring in a third-party independent auditor, not just somebody from
within their company, to look it over and say, 'Yeah, we had a
problem?'" Polsky said.
Hussein said his company will notify the offices of the federal and Alberta privacy commissioners.
The
Alberta privacy commissioner's office said in an emailed statement
that it has not yet received a report, and said it is contacting
Portpass to remind it that if "there is a real risk of significant harm
to affected individuals" an incident must be reported to the
commissioner and individuals must be notified.
The federal
privacy commissioner also said it has not yet received a report, and
said it has contacted Portpass to seek further information in order to
determine next steps, and that it is in communication with its
provincial counterpart.
Alberta does not have an official app
On
Sunday, Conrad Yeung, a local web developer, had questioned on social
media whether the app was accurately verifying vaccination information
and CBC News had contacted the company to ask for a response.
Shortly
after CBC contacted the company on Sunday, the app began to experience
technical difficulties, but Hussein said the crash was due to an influx
of users headed to that night's hockey game, overloading the server.
Alberta
currently does not have an official proof-of-vaccination app, and the
province's PDF vaccine record has been criticized for being easy to
edit.
Kristi, one Portpass user, said she was scared to learn
her personal information may be compromised. CBC News agreed not to use
her last name in case her information was among those exposed.
She said she only downloaded a private app because the government hasn't yet made one available — a delay that frustrates her.
"It was like a kick in the gut when I got the CBC News alert … I don't know if my information is out there," she said.
Yeung had
tested the Portpass app by uploading a photo of an actor as an ID
photo, and editing a fake vaccination record to display the actor's
name that the app verified as legitimate.
However,
earlier on Monday, Hussein had denied that the app validated Yeung's
false information, despite it appearing to do so, because he said the
fake picture would be a giveaway.
"That's not true. We saw it on
the back end and we were watching it.… So even if that user showed up,
he wouldn't be able to utilize that picture because that's not him. So
you wouldn't be able to get in. Secondly, that QR code, if someone
scanned it, it would show that picture again," he said at the time.
Hussein
had also said security concerns Yeung had raised about the app were
false, and suggested he may contact authorities over his social media
posts. He said he wished Yeung and others publicly posting
concerns instead had privately reached out to the company.
"Instead he did that maliced behaviour. That, you know, that's not nice," he said.
Yeung said earlier on Monday he had no ill-will toward the company but simply wanted to raise the issues he spotted.
"I
was trying to warn, I guess, the general public based on the
vulnerabilities that I saw. Because at the end of the day, it's personal
information people are submitting," he said.
