If you were planning on applying for a new Canadian passport this month… you may want to hold off, or go in to the passport office directly — lineups be damned. From the Globe & Mail:
A security flaw in Passport Canada’s website has allowed easy access to the personal information – including social insurance numbers, dates of birth and driver’s licence numbers – of people applying for new passports.
The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser.
Nice one, Passport Canada. You idiots. Even worse:
Passport Canada spokesman Fabien Lengelle acknowledged that a security breach occurred but said that it was repaired on Friday. Yesterday’s closing of the website was caused by “problems of a different nature,” he said
“We’ve probed this issue today very thoroughly,” Mr. Lengelle said. “This incident is an isolated anomaly. The online passport system is still a very highly secure application.”
But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts.
I really, really hope someone’s ass is in a sling over this. Highly secure my ass.
My passport doesn’t expire for another 3 years. I’ll be renewing it in person, thank you.
Most disturbing, in my books:
Canadian law does not require organizations to disclose when they’ve suffered security breaches. In the United States the majority of states have enacted legislation requiring organizations to disclose security breaches within a specified period of time.
You know… that’s really the sort of thing I’d like to know. If, for example, my bank has had a major security leak, I want them to be required to let me know. I doubt something like that would remain unreported for long, but hey, I don’t always read the news. I want someone to be required to tell me when they’ve fucked up with MY personal information.
Also, I have to mention: The policy of banks calling me and demanding me to give personal information to prove that they’re talking to the right person is bullshit. How about you prove to me who you are first?
Yep gotta say that news story makes me nervous because I applied for a passport (online but you still have to drop off the application at an office) just two weeks ago… hmm… bad timing. Nothing I can do about it now. The lineups arn’t that bad though :) I was pleasantly surprised.