Canadian Vaccine Passport App Exposes Data

Canadian vaccine passport app PORTpass may have exposed personal information belonging to hundreds of thousands of users. 

According to a report by CBC News, the app's operators left data, including names, identification documents, and email addresses, on an unsecured website. The personal information was allegedly stored in plain text and could be accessed by the public. 

Following a tipoff received on Monday, the news source investigated the security of the PORTpass website. CBC News said it was able to verify that app user’s information, among others: "Email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver's licenses and passports can easily be viewed by reviewing dozens of users' profiles."

In an article published September 28, the news source wrote: "CBC is not sharing how to access those profiles, in order to protect users' personal information."

CBC added: "The information was not encrypted and could be viewed in plain text."

The team behind the app is based in Calgary and led by Chief Executive Officer Zakir Hussein. In response to concerns over the app's security, Hussein reportedly denied that PORTpass was experiencing any verification or security issues.

However, the app's website has been taken offline, and visitors to the site are currently met with the message, "We are updating. Stay tuned."

PORTpass is described on Google Play as "a secure and contactless way for a member of the public to gain access to a building, site, or ticketed event using their secure MapleCode."

Hussein reportedly said the app has more than 650,000 registered users across Canada. 

Trevor Morgan, product manager with data security experts comforte AG, commented: "Unless the app vendor goes to great lengths to apply data-centric security such as format-preserving encryption or tokenization to protect sensitive data by obfuscating sensitive data elements, situations like this one will happen again and again, and people will hesitate to adopt such tools. 

"Any time an organization collects and processes peoples’ health information, it has the ultimate responsibility to protect that data and ensure it is never presented in readable format to unauthorized users." 

What’s Hot on Infosecurity Magazine?