Portpass, a proof-of-vaccination mobile app, has suffered a potential data breach after it was found that its website was left unsecured.
CBC News received a tip on September 27 that user profiles on Portpass’s website could be accessed by anyone online. While the news outlet did not reveal how the profiles could be accessed to protect the information, it did confirm that data was not encrypted and could be viewed in plain text.
The data exposed included names, email addresses, blood types, phone numbers, and birthdays. More worryingly, photos of IDs such as driver’s licenses and passports were also left unencrypted for anyone to view and potentially copy.
According to CEO Zakir Hussein, the Calgary-based company has more than 650,000 registered users across Canada.
CBC News contacted Hussein and agreed to hold off on publishing the story until September 28 in order to give the Portpass team an opportunity to secure their website and protect their users’ information. When first confronted about the potential breach, Hussein denied that the app had verification or security issues, and even accused those who raised such concerns of breaking the law.
“Someone that’s out there is trying to destroy us here, and we’re trying to build something good for people,” the chief executive said.
Hussein later said on September 28 that the breach only lasted for minutes. CBC News then told him that it was able to access customers’ personal information for more than an hour, but the CEO continued to insist that the breach only lasted for minutes. It is currently unknown for how long Portpass users’ data was left unsecured.
The CEO later revealed in a separate interview with 630 CHED Radio that Portpass’ servers were turned off to perform a security audit.
Alberta’s privacy commissioner has confirmed that it has yet to receive a report from Portpass, but said that the company has been reminded that if “there is a real risk of significant harm to affected individuals,” an incident must be reported to the commissioner, and that affected individuals must be alerted.
The province of Alberta does not have an official vaccination passport app, CBC News noted. But Portpass was heavily endorsed by the Calgary Sports and Entertainment Corporation – owners of the NHL’s Calgary Flames – as a way for ticket holders to prove their vaccination status before they could watch games in-person.