globeandmail.com: Passport applicant finds massive privacy breach - Via The Globe and Mail :

A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports.

The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser.

"I was expecting the site to tell me that I couldn't do that," said Jamie Laning of Huntsville. "I'm just curious about these things so I tried it, and boom, there was somebody else's name and somebody else's data."

That data included social insurance numbers, driver's licence numbers and addresses.

Also available were home and business phone numbers, a federal ID card number and even a firearms licence number.

"This is exactly how identity theft happens," said Carlisle Adams, an Internet data security expert and professor at the University of Ottawa. "If you want to take out a mortgage, for example, this is the type of information the bank is going to ask for to make sure you're really the person you're claiming to be. Then all of a sudden there's a mortgage in someone else's name."

Mr. Laning, 47, an IT worker at Algonquin Automotive, informed Passport Canada of the breach last week and the passport application site was suspended through yesterday morning.

Passport Canada spokesman Fabien Lengelle acknowledged that a security breach occurred but said that it was repaired on Friday. Yesterday's closing of the website was caused by "problems of a different nature," he said

"We've probed this issue today very thoroughly," Mr. Lengelle said. "This incident is an isolated anomaly. The online passport system is still a very highly secure application."

But after the website resumed operation yesterday afternoon, a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts.

"That's a concern because obviously there's a weakness in their system that exposes valuable personal information to viewing by people," said Colin McKay, a spokesman for the office of the federal Privacy Commissioner of Canada.

"It's always a concern for us when agencies don't take all the security measures they can, especially an agency like Passport Canada that deals with basic documents."

Jason Marsden, a Brampton resident whose social insurance and driver's licence numbers were accessed by Mr. Laning, said he was "totally surprised" to learn that his personal information was so readily available.

"If you read the disclaimer on the website, it's supposed to use high-tech security," Mr. Marsden said in an interview. "You'd think it wouldn't be that bloody simple."

(Read Original Article - Via globeandmail.com .)