Passport Canada security breach raises ID theft concerns

(ITBusiness.ca) -- In the aftermath of the security breach on Passport Canada's Web site, concern is being expressed that some of the exposed information could be used to impersonate and defraud unsuspecting citizens and companies.

Passport Canada, meanwhile, is scrambling to reassure the public the breach -- which allowed easy access to personal information of applicants -- is fixed and that its Web site is secure.

However the incident has sparked renewed calls for legislation to force disclosure of such breaches.

As widely reported, a passport applicant noticed that by simply changing a few numbers in the URL of his own online application, he could gain access to others' applications and view their personal information.

Colin McKay, a spokesman for the Privacy Commissioner of Canada, said the Commissioner has requested a clarification of the matter from Passport Canada.

"There were informal communications as well, and Passport Canada reacted quickly to apply a fix," said McKay.

It's significant that the Passport Canada breach came just two months after the federal Privacy Commissioner expressed concern about the inadequacy of personal information protection measures in government departments.

"Government departments are not doing enough to protect Canadians' personal information as they plan new programs or redesign existing programs," the Privacy Commissioner had noted in a news release issued at the time.

This fact, the release said, was "confirmed by the results of an audit of the government's Privacy Impact Assessment (PIA) Policy."

Under the PIA policy, federal institutions are required to assess the potential privacy risks of programs before they are implemented.

That's exactly the approach Al Huger, Symantec's vice-president of security response and security services, advocates for all organizations gathering personal information online.

He says coding errors that leave personal information exposed are all too common.

"A key problem is that many developers of Web applications are inadequately trained in security measures.

"The people writing the code should be properly qualified and competent in the first place," Huger submits. "Software developers should have security training in their backgrounds."

Compounding this weakness in Web development is the fact that Web applications are seldom subjected to security audits before being released to the public.

In Huger's opinion, as a matter of policy, people writing software that's going to be accessing people's private data and putting it on the Internet should always have that code audited before it is released.

Of course, the people conducting such audits need to be well-qualified too.

An internal audit by someone who has been trained to do secure code audits should suffice for small applications.

But large applications should be audited by a third party before rollout, advises Huger.