Private proof-of-vaccination app Portpass exposed personal information, including the driver's licences, of what could be as many as hundreds of thousands of users by leaving its website unsecured.
On Monday evening, CBC News received a tip that the user profiles on the app's website could be accessed by members of the public.
CBC is not sharing how to access those profiles, in order to protect users' personal information, but has verified that email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver's licences and passports can easily be viewed by reviewing dozens of users' profiles.
The information was not encrypted and could be viewed in plain text.
Earlier in the day, the Calgary-based company's CEO Zakir Hussein had denied the app had verification or security issues and accused those who raised concerns about it of breaking the law.
CBC called Hussein late Monday, and agreed to hold off on publishing an article on the lapse until late Tuesday morning in order to give his team time to lock down the site and protect user information.
The portpassportal.com web app was pulled offline that evening and users of the mobile app were met with "Network error" pop-up messages if they attempted to upload or modify any information.
Hussein said Tuesday morning that the breach only lasted for minutes, and repeated that claim when CBC pointed out it had reviewed the personal information for more than an hour — and it's unknown how long the information was exposed before that tip was received.
"Someone that's out there is trying to destroy us here, and we're trying to build something good for people," he said.
"There's holes, and what I'm realizing is I think there are some things that we need to fix here. And you know, we're trying to play catch-up, I guess, and trying to figure out where these holes are."
The CEO said data has been pulled from the server and his developers are investigating. He said he believes only those who were awaiting verification were affected, a claim CBC was unable to verify.
Hussein has said Portpass has more than 650,000 registered users across Canada.
Security, privacy concerns
Cybersecurity analyst Ritesh Kotak said he was shocked but not surprised to hear users' information was exposed.
"These were exactly the privacy and security concerns I've previously raised when it comes to using third-party apps," Kotak said. "You've gotta ask yourself, 'Where's the data housed? Who has access to it? Is it encrypted?'… If this gets out to the wrong individuals it opens them up to fraud, identity theft and a whole other world of potential issues."
Earlier on Tuesday morning, Hussein spoke with 630 CHED Radio and said the servers were turned off to perform a security audit. He did not mention during that interview that users' personal information had been exposed.
The Calgary Sports and Entertainment Corporation (CSEC), which owns the NHL's Calgary Flames, had recommended the Calgary-based app as a way for ticket holders to prove their COVID-19 vaccination status to enter the Scotiabank Saddledome arena.
CSEC said Monday in an emailed statement, before the security lapse was discovered, that it's aware of concerns raised about the app and is working with the app's developer. CBC has reached out to CSEC for further comment. On Tuesday, after this article was published, CSEC pulled the recommendation for the app from the Flames' website.
"It seems like these were some really basic things that were missed. I question why the Calgary Flames in the first place said go ahead and use this app … you gotta do your homework," Kotak said.
Sharon Polsky, president of the Privacy and Access Council of Canada, said those who fear their information may have been compromised can notify the Office of the Privacy Commissioner. She said the company should have to answer some hard questions about how long the information was accessible and how many users saw their data exposed.
"Will they conduct a forensic audit? Will they bring in a third-party independent auditor, not just somebody from within their company, to look it over and say, 'Yeah, we had a problem?'" Polsky said.
Hussein said his company will notify the offices of the federal and Alberta privacy commissioners.
The Alberta privacy commissioner's office said in an emailed statement that it has not yet received a report, and said it is contacting Portpass to remind it that if "there is a real risk of significant harm to affected individuals" an incident must be reported to the commissioner and individuals must be notified.
The federal privacy commissioner also said it has not yet received a report, and said it has contacted Portpass to seek further information in order to determine next steps, and that it is in communication with its provincial counterpart.
Alberta does not have an official app
On Sunday, Conrad Yeung, a local web developer, had questioned on social media whether the app was accurately verifying vaccination information and CBC News had contacted the company to ask for a response.
Shortly after CBC contacted the company on Sunday, the app began to experience technical difficulties, but Hussein said the crash was due to an influx of users headed to that night's hockey game, overloading the server.
Alberta currently does not have an official proof-of-vaccination app, and the province's PDF vaccine record has been criticized for being easy to edit.
Kristi, one Portpass user, said she was scared to learn her personal information may be compromised. CBC News agreed not to use her last name in case her information was among those exposed.
She said she only downloaded a private app because the government hasn't yet made one available — a delay that frustrates her.
"It was like a kick in the gut when I got the CBC News alert … I don't know if my information is out there," she said.
Yeung had tested the Portpass app by uploading a photo of an actor as an ID photo, and editing a fake vaccination record to display the actor's name that the app verified as legitimate.
However, earlier on Monday, Hussein had denied that the app validated Yeung's false information, despite it appearing to do so, because he said the fake picture would be a giveaway.
"That's not true. We saw it on the back end and we were watching it.… So even if that user showed up, he wouldn't be able to utilize that picture because that's not him. So you wouldn't be able to get in. Secondly, that QR code, if someone scanned it, it would show that picture again," he said at the time.
Hussein had also said security concerns Yeung had raised about the app were false, and suggested he may contact authorities over his social media posts. He said he wished Yeung and others publicly posting concerns instead had privately reached out to the company.
"Instead he did that maliced behaviour. That, you know, that's not nice," he said.
Yeung said earlier on Monday he had no ill-will toward the company but simply wanted to raise the issues he spotted.
"I was trying to warn, I guess, the general public based on the vulnerabilities that I saw. Because at the end of the day, it's personal information people are submitting," he said.