Canadian vaccine credential storage app PortPass has stopped registering new users and ordered two security audits after allegations that unapproved persons were able to see personal data of users online.
In an interview with IT World Canada on Wednesday, CEO Zak Hussein acknowledged “issues” are being investigated by two cybersecurity firms. But asked if the reports by CBC and CTV news indicate a serious privacy breach, he initially replied, “No. Our firm is looking to see if this is true.”
Faced with the report that CBC News said it was able to see information on dozens of users and asked if that was a serious privacy breach, when pressed Hussein said, “If there are, of course it is. So we’re waiting to get the audit to say exactly how many people, if that is accurate. I don’t know yet. I’m trying to wait to figure out exactly if this was done, how many.”
Meanwhile, until the security audits are complete, the app remains offline. The home page of PortPass carries a notice saying, ‘We are updating. Stay tuned.’ The registration page wasn’t available.
“What we’ve done is take down the server to figure out where the issues are and where we need better security, better technology and a streamlined process,“ Hussein said.
‘It definitely hurt’
Asked what the controversy has done to the Calgary company’s reputation, he replied, “it obviously, definitely hurt. We want to apologize if there are any issues. We’re going to also try to see if these things happened and why.”
“I want to get it right,” he said at one point. “I need to get every detail ironed out. If there are any flaws, we can’t have any. I was reassured by our app developers things were OK.”
“With our new updates and all of that,” he added, “once we’re ready we’ll be SOC 2 compliant.”
According to Check Point Software, SOC 2 is a voluntary compliance standard for service organizations developed by the American Institute of Certified Public Accountants which specifies how organizations should manage customer data.
A spokesperson for the Office of the Information and Privacy Commissioner of Alberta said Wednesday it has reminded PortPass of its data breach reporting responsibilities. The company, the spokesperson added, “has committed to following up with us. We understand it continues to investigate the incident.”
Two news reports
The security of the PortPass vaccine credential storage app was questioned after CBC news reported Monday that it could see dozens of PortPass user profiles, including personal information. CBC didn’t detail how it was able to do this — whether it was through the app or the PortPass web page — to prevent others from seeing and potentially copying the information.
Hussein disputed CBC’s claim that profiles of “hundreds of thousands” could be at risk based on the number of registered PortPass users. He said the company doesn’t store personal data on its server. However, he did say that “we have 10 to 15 people at once in a queue to get verified.” Once an applicant is verified their data is erased from the PortPass server, he said.
In addition to the CBC report, CTV quoted a Calgary web developer claiming PortPass approved an application he submitted using the photo of actor Rob Schneider. Hussein said that application wasn’t verified by PortPass.
PortPass is one of a number of third-party mobile apps created by developers around the world for storing COVID-19 vaccination documents. They are to be used by stores, restaurants, gyms and sporting venues that demand proof of vaccination before entry. These apps don’t connect to Canadian provincial identification or health databases and aren’t official vaccination verification apps.
How it works
Briefly, to register PortPass a user had to take and upload a photo of themself and also upload an image of a government-approved photo ID of themself. PortPass’ system compares and confirms the images are identical. Then the applicant uploads an image of an official COVID-19 vaccination record or a record of a negative COVID test. PassPort’s system confirms that document hasn’t been tampered with, Hussein said. There are other checks as well, he added.
According to the CBC, the Calgary Sports and Entertainment Corp. (CSEC), which owns the NHL’s Calgary Flames, used the PortPass app as one of the ways ticket holders could show their COVID-19 vaccination status to enter its arena. After the CBC story was published, the arena stopped listing PortPass on its website.
CBC said Hussein initially denied the app had verification or security issues, and accused those who raised concerns about it of breaking the law. However later on Monday CBC agreed to hold back its story to Tuesday to give PortPass time to lock down the site and protect user information.
On Tuesday morning, CBC reported, Hussein said that the breach only lasted for minutes, although CBC pointed out it had reviewed the personal information for more than an hour.
“There’s holes” CBC quoted Hussein as saying, “and what I’m realizing is I think there are some things that we need to fix here. And you know, we’re trying to play catch-up, I guess, and trying to figure out where these holes are.”
In July PortPass said over 200,000 users had pre-registered to use the app.
“With the PortPass,” the company’s news release said, “Canadians will be able to travel safely and securely while controlling the data they share, as the verification process fully encrypts their negative COVID-19 and other variants of concern data and Vaccination statuses. As a Canadian citizen, CEO of PortPass, Zak Hussein believes that security and data protection is vital to Canadians and its privacy and that’s why we have incorporated PORTpass with the utmost guidelines when it comes to monitoring and protecting our nation and its citizens.”
In the IT World Canada interview Hussein called himself a marketer who loves technology and building websites. The idea of the app was “to help people get back to work (and) visit their loved ones” by verifying identity and vaccination or negative test documents. Developers were hired to build the app.
‘Had to fix things’
What he called a beta version of the app was launched at the end of August. From the start there were problems. “What we were trying to do is have many features for the user, but obviously at that time sometimes you got to go back and fix things,” Hussein said. “You know it’s beta. We [officially] launched a week and a half ago. Then we realized we still had some issues to do, such as our server overload” at a Calgary Flames hockey game. “We thought we had enough server speed but it hit a limit so we had to pause, and an hour later it worked. We’re getting better at expediting things like server speed and things we thought we had enough of. But when things like this happen [the alleged privacy breaches] you just have to continue to figure where solutions are.”
Asked if the app was tested enough before it was launched, Hussein said, ”To my knowledge it was. From now, what I’m looking at, we could have added more things. We look forward to doing that.”
”We were constantly getting better, but unfortunately this has come up. And it’s fortunate so we can fix these issues and resolve this for people.”