Portpass app may have exposed hundreds of thousands of users’ personal data

Private proof-of-vaccination app Portpass exposed personal information, including the driver’s licences, of what could be as many as hundreds of thousands of users by leaving its website unsecured. 

On Monday evening, CBC News received a tip that the user profiles on the app’s website could be accessed by members of the public.

CBC is not sharing how to access those profiles, in order to protect users’ personal information, but has verified that email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver’s licences and passports can easily be viewed by reviewing dozens of users’ profiles.

The information was not encrypted and could be viewed in plain text.

Earlier in the day, the Calgary-based company’s CEO Zakir Hussein had denied the app had verification or security issues and accused those who raised concerns about it of breaking the law.

CBC called Hussein late Monday, and agreed to hold off on publishing an article on the lapse until late Tuesday morning in order to give his team time to lock down the site and protect user information.

The portpassportal.com web app was pulled offline that evening and users of the mobile app were met with “Network error” pop-up messages if they attempted to upload or modify any information.

Hussein said Tuesday morning that the breach only lasted for minutes, and repeated that claim when CBC pointed out it had reviewed the personal information for more than an hour — and it’s unknown how long the information was exposed before that tip was received.

“Someone that’s out there is trying to destroy us here, and we’re trying to build something good for people,” he said. 

“There’s holes, and what I’m realizing is I think there are some things that we need to fix here. And you know, we’re trying to play catch-up, I guess, and trying to figure out where these holes are.”

The CEO said data has been pulled from the server and his developers are investigating. He said he believes only those who were awaiting verification were affected, a claim CBC was unable to verify. 

Hussein has said Portpass has more than 650,000 registered users across Canada. 

Read More Here