Security flaw on Passport Canada's website exposes applicants' personal information

December 4, 2007

By John Stall

http://680news.com/news/local/article.jsp?content=20071204_080504_1760



A security flaw at Passport Canada's Web site allowed an Ontario man access to the personal information of other people applying for new passports.

The Globe and Mail reported the breach was discovered last week while Huntsville resident, Jamie Laning, was completing his own passport application online.

Laning told 680News he was on the Passport Canada website when he came across the application information of others.

When the Web page froze, Laning said he tried to unlock it by adding a character to his ID number on the browser and was exposed to other applicants' information -- that someone could use to create an "identity."

"I got stalled on this page and looked at it and said, 'there's my application ID at the top; what would happen if I change it'...I was expecting to get some kind of message...saying I could not do that, (but) I was getting other people's information," Laning said.

Laning said he was able to view the files by simply adding different characters to his own ID number at the top of the Passport Canada Web page.

"I looked at a couple of records, I saw a social insurance number, a driver's licence number, a federal ID card, references...more than enough to identify people and get information that I really shouldn't see.

He immediately alerted Passport Canada last week, who acknowledged the breach and called it an isolated anomaly that has been fixed. The application site was suspended through Monday morning.


main page ATTRITION feedback