Given the long lineups and crazy backlog that has placed the Passport Canada offices over the last year, I kept putting off getting a new one. I later realized I could have applied through the mail or filed online, and was choosing between pursuing that option or going in person over the Christmas holidays. Then comes a data breach that proves it’s easier to hack your way into the passport system than it is to go through the proper channels.
According to a story on CBC, Jamie Laning from Huntsville, Ont. realized that by playing around with the numbers at the end of the Passport Canada URLs he could see the personal information of other people using the system at that time. Passport Canada tried to put a positive spin on things, pointing out that no information is stored permanently online and that any information Laning saw would have been temporary. Not that a phishing expert who knew what he was doing would care, of course. It would probably be possible, in fact, to automate the collection of such temporary files. Still, Passport Canada says it has taken steps to make sure it doesn’t happen again.
“We’ve tested the system to make sure it’s foolproof and we’ve also sought external help to ensure that applicants’ information cannot be accessed through Passport Online,” a spokesman told CBC.
Of course, this is not the first time Passport Canada has been chided on lax security. It was just this past February, for example, that the agency was singled out by Auditor-General Sheila Fraser for failing to make much progress on recommendations she had made in 2005. Specifically, Fraser and her team said Passport Canada hasn’t even bothered to do a thorough review of security risks. Here’s an excerpt:
“Many technological and quality assurance improvements will need to be made to increase the security around the issuing of passports. As well, the Passport Office plans to make several changes to service delivery. In our view, even considering the improvements to service that have been made, its current management systems and practices are not adequate to meet those challenges.”
It’s worse once you actually get your application over to the other side of the agency’s Internet gateway, according to Fraser. The report said database administrators and system administrators had just as much ability to issue a passport as those actually responsible for making those kinds of decisions. Data collection and sharing practices also came under criticism.
Unfortunately, what’s happening in Passport Canada are the kinds of things that happen in the enterprise every day. Protection at the portal layer, authentication in the back end and knowing where the holes are represent the major hurdles we’re all going through as we move to a more Web-based business culture. Like the private sector, Passport Canada is getting off lightly because the most recent incident involved only one file, and the person who discovered the hole was good enough to speak up. That won’t happen in every circumstance, and certainly not by people who set out to steal personal information. Cyber-criminals are learning from the mistakes Passport Canada is making. IT managers across the country should start learning from them, too.