In the aftermath of the security breach on Passport Canada’s Web site, concern is being expressed that some of the exposed information could be used to impersonate and defraud unsuspecting citizens and companies.
Passport Canada, meanwhile, is scrambling to reassure the public the breach – that allowed easy access to personal information of applicants – is fixed and that its Web site is secure.
However the incident has sparked renewed calls for legislation to force disclosure of such breaches.
As widely reported, a passport applicant noticed that by simply changing a few numbers in the URL of his own on-line application, he could gain access to others’ applications and view their personal information.
Colin McKay, a spokesman for the Privacy Commissioner of Canada said the Commissioner has requested a clarification of the matter from Passport Canada.
“There were informal communications as well, and Passport Canada reacted quickly to apply a fix,” said McKay.
It’s significant that the Passport Canada breach came just two months after the federal Privacy Commissioner expressed concern about the inadequacy of personal information protection measures in government departments.
“Government departments are not doing enough to protect Canadians’ personal information as they plan new programs or redesign existing programs,” the Privacy Commissioner had noted in a news release issued at the time.
This fact, the release said, was “confirmed by the results of an audit of the government’s Privacy Impact Assessment (PIA) Policy.”
Under the PIA policy, federal institutions are required to assess the potential privacy risks of programs before they are implemented.
That’s exactly the approach Al Huger, vice-president of security response and security services at Cupertino, Calif.-based Symantec Corp. advocates for all organizations gathering personal information online.
He says coding errors that leave personal information exposed are all too common.
“A key problem is that many developers of Web applications are inadequately trained in security measures.
“The people writing the code should be properly qualified and competent in the first place,” Huger submits. “Software developers should have security training in their backgrounds.”
Compounding this weakness in Web development is the fact that Web applications are seldom subjected to security audits before being released to the public.
In Huger’s opinion, as a matter of policy, people writing software and putting it on the Internet where it’s going to be accessing people’s private data should always have that code audited before it is released.
Of course, the people conducting such audits need to be well qualified too.
An internal audit by someone who has been trained to do secure code audits should suffice for small applications.
But large applications should be audited by a third party before rollout, advises Huger.
In the wake of Passport Canada’s breach, calls for legislation have reappeared in the media and in the blogosphere. Most advocates want a California-style disclosure law, forcing organizations to inform the public when a breach has occurred.
But, as Colin McKay points out, laws forcing companies to disclose privacy breaches would not prevent the occurrence of the breaches themselves, although the public shaming may serve as a deterrent.
Another problem is determining when harm has occurred. Many companies now dispute the need to disclose a breach if no harm was done.
Symantec’s Huger is not sure if laws and regulations will force companies to develop better security policies and practices.
Pointing to security infrastructures common in the U.S. – that don’t exist in Canada –such as the existence of chief security officers, and the robust security staff many companies employ, he explains that these developments were the result of frequent breaches.
“They do a better job because they’ve learned the hard way. Hopefully, that’s not going to happen here.”
He urges every company to develop an internal disclosure policy anyway, so that when they have an incident they’ll know what their public disclosure response will be.
“They need to understand how to deal with an incident in the event private information is made public.”
Unfortunately, Canadian companies are relatively complacent about security compared to U.S. companies.
Security training and audits, as well as disclosure policies may be prevalent in Canadian financial institutions, but experts agree that other industries are lagging well behind.
The Privacy Commissioner acknowledges that Canadians already feel that their personal information is not as well protected as it was ten years ago. Incidents such as this do nothing to allay their fears and distrust.