Portpass app may have exposed hundreds of thousands of users’ personal data

Personal proof-of-vaccination app Portpass uncovered private data, together with the driving force’s licences, of what could possibly be as many as tons of of hundreds of customers by leaving its web site unsecured. 

On Monday night, CBC Information obtained a tip that the person profiles on the app’s web site could possibly be accessed by members of the general public.

CBC will not be sharing find out how to entry these profiles, in an effort to shield customers’ private data, however has verified that electronic mail addresses, names, blood sorts, cellphone numbers, birthdays, in addition to images of identification like driver’s licences and passports can simply be considered by reviewing dozens of customers’ profiles.

The knowledge was not encrypted and could possibly be considered in plain textual content.

Earlier within the day, the Calgary-based firm’s CEO Zakir Hussein had denied the app had verification or safety points and accused those that raised considerations about it of breaking the legislation.

CBC known as Hussein late Monday, and agreed to carry off on publishing an article on the lapse till late Tuesday morning in an effort to give his workforce time to lock down the location and shield person data.

The portpassportal.com net app was pulled offline that night and customers of the cell app have been met with “Network error” pop-up messages in the event that they tried to add or modify any data.

Hussein mentioned Tuesday morning that the breach solely lasted for minutes, and repeated that declare when CBC identified it had reviewed the non-public data for greater than an hour — and it is unknown how lengthy the knowledge was uncovered earlier than that tip was obtained.

RELATED :  Program giving out free cannabis to help opioid users in London, Ont., met with skepticism

“Someone that’s out there is trying to destroy us here, and we’re trying to build something good for people,” he mentioned. 

“There’s holes, and what I’m realizing is I think there are some things that we need to fix here. And you know, we’re trying to play catch-up, I guess, and trying to figure out where these holes are.”

The CEO mentioned information has been pulled from the server and his builders are investigating. He mentioned he believes solely those that have been awaiting verification have been affected, a declare CBC was unable to confirm. 

Hussein has mentioned Portpass has greater than 650,000 registered customers throughout Canada. 

Safety, privateness considerations

Cybersecurity analyst Ritesh Kotak mentioned he was shocked however not stunned to listen to customers’ data was uncovered.

“These were exactly the privacy and security concerns I’ve previously raised when it comes to using third-party apps,” Kotak mentioned. “You’ve gotta ask yourself, ‘Where’s the data housed? Who has access to it? Is it encrypted?’… If this gets out to the wrong individuals it opens them up to fraud, identity theft and a whole other world of potential issues.”

Earlier on Tuesday morning, Hussein spoke with 630 CHED Radio and mentioned the servers have been turned off to carry out a safety audit. He didn’t point out throughout that interview that customers’ private data had been uncovered. 

The Calgary Sports activities and Leisure Company (CSEC), which owns the NHL’s Calgary Flames, has really helpful the Calgary-based app as a means for ticket holders to show their COVID-19 vaccination standing to enter the Scotiabank Saddledome area.

CSEC mentioned Monday in an emailed assertion, earlier than the safety lapse was found, that it is conscious of considerations raised concerning the app and is working with the app’s developer. CBC has reached out to CSEC for additional remark.

RELATED :  Ontario hiring new LTC inspections staff as 269 new COVID-19 cases reported

“It seems like these were some really basic things that were missed. I question why the Calgary Flames in the first place said go ahead and use this app … you gotta do your homework,” Kotak mentioned. 

Sharon Polsky, president of the Privateness and Entry Council of Canada, mentioned those that worry their data could have been compromised can notify the Workplace of the Privateness Commissioner. She mentioned the corporate ought to should reply some onerous questions on how lengthy the knowledge was accessible and what number of customers’ noticed their information uncovered.

“Will they conduct a forensic audit? Will they bring in a third-party independent auditor, not just somebody from within their company, to look it over and say, ‘Yeah, we had a problem?'” Polsky mentioned.

Hussein mentioned his firm will notify the workplaces of the federal and Alberta privateness commissioners.

The Alberta privateness commissioner’s workplace mentioned in an emailed assertion that it has not but obtained a report, and mentioned it’s contacting Portpass to remind it that if “there is a real risk of significant harm to affected individuals” an incident have to be reported to the commissioner and people have to be notified.

Alberta doesn’t have an official app

On Sunday, Conrad Yeung, an area net developer, had questioned on social media whether or not the app was precisely verifying vaccination data and CBC Information had contacted the corporate to ask for a response. 

Shortly after CBC contacted the corporate on Sunday, the app started to expertise technical difficulties, however Hussein mentioned the crash was attributable to an inflow of customers headed to that night time’s hockey sport, overloading the server.

RELATED :  Edmonton mother who contracted COVID-19 while pregnant thankful she got the shot

Alberta presently doesn’t have an official proof-of-vaccination app, and the province’s PDF vaccine file has been criticized for being simple to edit.

Yeung had examined the Portpass app by importing a photograph of an actor as an ID picture, and modifying a faux vaccination file to show the actor’s title that the app verified as legit.

Nonetheless, earlier on Monday, Hussein had denied that the app validated Yeung’s false data, regardless of it showing to take action, as a result of he mentioned the faux image could be a giveaway.

“That’s not true. We saw it on the back end and we were watching it.… So even if that user showed up, he wouldn’t be able to utilize that picture because that’s not him. So you wouldn’t be able to get in. Secondly, that QR code, if someone scanned it, it would show that picture again,” he mentioned on the time. 

Hussein had additionally mentioned safety considerations Yeung had raised concerning the app have been false, and instructed he could contact authorities over his social media posts. He mentioned he wished Yeung and others publicly posting considerations as an alternative had privately reached out to the corporate.

“Instead he did that maliced behaviour. That, you know, that’s not nice,” he mentioned.

Yeung mentioned earlier on Monday he had no ill-will towards the corporate however merely needed to elevate the problems he noticed.

“I was trying to warn, I guess, the general public based on the vulnerabilities that I saw. Because at the end of the day, it’s personal information people are submitting,” he mentioned.