Portpass, a private proof-of-vaccination app, was breached on September 27, leaving hundreds of thousands of users’ private information potentially exposed and easily accessible.
The CBC has since verified that “email addresses, names, blood types, phone number[s], birthdays, photos of identification like driver’s licenses and passports” could be easily viewed on several profiles they reviewed during the time that the app was unsecured, as Portpass did not encrypt its data.
The Calgary-based Portpass app has well over 650,000 registered users.
CEO Zakir Hussein initially denied that the app had been breached or had any security issues, going so far as to accuse any who raised concerns of breaking the law.
However, he subsequently rolled back these comments the following day after his app was taken down, displaying a “Network error” for users attempting to upload or edit information.
Their website now reads “We are Updating — Stay Tuned.”
Hussein is adamant that the breach only lasted a few minutes — though this is not confirmed.
“Someone that’s out there is trying to destroy us here, and we’re trying to build something good for people,” said Hussein.
“There [are] holes, and what I’m realizing is I think there are some things that we need to fix here. And you know, we’re trying to play catch-up, I guess, and trying to figure out where these holes are.”
Some cybersecurity experts weighed in, saying that this should be expected of a new third-party app.
“These were exactly the privacy and security concerns I’ve previously raised when it comes to using third-party apps,” cybersecurity analyst Ritesh Kotak said.
“You’ve gotta ask yourself, ‘Where’s the data housed? Who has access to it? Is it encrypted?’… If this gets out to the wrong individuals, it opens them up to fraud, identity theft and a whole other world of potential issues.”
The Calgary Flames’ owner, the Calgary Sports and Entertainment Corporation (CSEC), previously recommended the app as a way for patrons to prove their vaccination while they await a province-made alternative to be completed.
“It seems like these were some really basic things that were missed. I question why the Calgary Flames in the first place said go ahead and use this app… you gotta’ do your homework,” said Kotak.
We are having some technical difficulties, please bring a piece of paper to the game this evening. Thank you for the patience!
— PORTpass™ (@portpasscanada) September 26, 2021
Hussein says his company will notify both federal and provincial privacy commissioners to relay the results of an internal forensic audit.
