Unforgivable ...
I am neither shocked nor surprised at this colossal screw up by my Government's Bureaucracy.
@Jeremy - the articles say it was as easy as altering the URL.
"an Ontario man applying online for a passport last Thursday discovered he could access personal information - such as social insurance numbers, birthdates and driver's licence numbers - of other applicants by altering one character in the Internet address displayed by his Web browser."[1] - URL manipulation
"Mr. Lengelle added that the personal information of applicants is never stored online."[1] - is either totally clueless, calling the report a lie, or both.
""When a passport has been issued, the information is deleted," said Mr. Lengelle."[4] - only online for a few weeks then. Well that makes it okay then, doesn't it.
"Minister Maxime Bernier told the House of Commons that he spoke with Passport Canada CEO Gérard Cossette and was assured that the security problem had been fixed."[1] - perhaps that one particular problem has been fixed/patched/bypassed.
"'The Web site of Passport Canada is now one of the most secure,' Mr. Bernier told the House."[4] - Unbelievable.
As a security professional with extensive security testing experience, I have some observations. Basically the error is inexcusable and strongly suggests that there are other problems.
1. This kind of mistake was kindergarten over 10 years ago!
2. The site was launched in 2005 [1]. Such an error was inexcusable long before then. Why did it take almost three years to find this?
2. If they can't get a simple navigation/access control issue right, what about issues that emerged after 1996! Cross-site scripting? SQL injection?
4. In my experience, a problem of this type suggests those who implemented the site were (possibly grossly) negligent and totally clueless about security. This error should have been caught in basic testing. A penetration test should have caught it. Clearly testing was neglected.
5. Fixing security problems of this sort are often more difficult than a quick fix will allow. I've seen quick fixes that can be easily bypassed. I've also seen real fixes that can take months. Often this is a function of the framework used. Possibly they can fix this fast, but I wouldn't bet on it.
6. The Government of Canada should launch a broad investigation to make sure this is not isolated. They should start with an inventory of all their online services prioritized by the sensitivity of data they process/transmit. They should sample by risk and by vendor/developer. And like in a real world infrastructure failure, they should carefully scrutinize anything the developers and maintainers touched.
Other articles/reference:
[1] http://www.theglobeandmail.com/servlet/story/RTGAM.20071205.wpassport05/BNStory/National/home
[2] http://ca.today.reuters.com/news/newsArticle.aspx?type=domesticNews&storyID=2007-12-04T220025Z_01_N04527003_RTRIDST_0_CANADA-PASSPORTS-COL.XML
[3] http://www.theglobeandmail.com/servlet/story/RTGAM.20071204.wpassport1204/BNStory/National/home
[4] http://www.nationalpost.com/news/story.html?id=144179
By the way, I wonder when the third shoe drops … who’s going to have the next Commonwealth IT Security screw up.
Perhaps the Discovery Channel could do another reality show with the flavour of “Canada’s Worst Driver”, “Canada’s Worst HandyMan”. Welcome, “Canada’s worst web developer!” I’d be up to be judge!
Thankfully, when renewed after 2005 I did it offline!