Canada's passport application system has security hole

An Ontario man discovered last week that the Web site meant to allow Canadians to apply for passports was allowing access to information on other applicants.

By changing a single character in the URL while filling out the application, he was able to pull up data on another applicant. Jamie Laning told The Globe and Mail that doing so was effortless, and the site did nothing to prevent him from viewing the data.

This leak provides enough data to essentially commit identity theft, it includes names, addresses, dates of birth, social insurance (Canada's social security) numbers, phone numbers, and drivers license data.

The extent of the data breach is not known as Passport Canada did not give details on how many applicants may be sitting in queue on the site at any given time. It is also not clear if the data continues to sit on the site, accessible by its unique URL, after an application has been approved.

In any case, access to the online application was disabled after Laning informed the agency of the problem, and Passport Canada said it had the problem fixed by last Friday.

However, a test on Monday by Globe and Mail reporters indicated that the hole still existed, and they were able to access further private data. This was despite Passport Canada's assurances that the application was indeed secure.

Unlike many parts of the US, there is no law requiring government agencies or companies to disclose security breaches to consumers. Supporters of such legislation in Canada are using the incident as an example of why laws in this area are needed.