Not every breach is “Massive”. It can’t be. When you have limited resources you have to budget for security across the board. It occurs in every system that’s built. We do need to keep an eye on things and hold people accountable to correct problems, but when the media highlights these breaches using hyperbole it doesn’t help.

This case at Passport Canada (HERE), was clearly one that could have been prevented with a little more analysis and testing during the design and development cycle. But as far as I can tell, it was limited in its impact compared to the loss of thousands of citizens’ personal information when a laptop was stolen at Service Canada last month.

What went wrong?

According to the report, a citizen filling in the Canadian Passport application forms online decided to change the URL in his browser to see what would happen. By changing a character in the Address Line he was apparently able to see another person’s passport application containing all the private information collected during the process. The Globe and Mail newspaper headline reported “Passport applicant finds massive privacy breach”.

The Bottom Line

This type of problem is still serious, there is no question. It should not be allowed to happen. However, in the world of limited budgets for development and security testing, it is not unexpected that these kinds of problems happen.

There are certainly many points in a system development process where this type of problem should have been identified and fixed before going into operation, including:

  • Security requirements phase - “URL manipulation by users should not them to see private information of other users
  • Threat and Risk Assessment (TRA)- Identifying potential attacks and areas that require additional safeguards
  • Security testing - Functional and infrastructure testing against the above security requirements, as well as penetration testing using tools designed to locate vulnerabilities

The reason I am not “shocked and appalled” at this breach is because it can not be classified as a “massive” privacy breach. A massive breach is one in which a single event causes a multitude of individuals’ private information to become compromised.

This is obviously a case of a reporter looking to make big headlines at the expense of a large system operator who has, in all likelihood done an adequate, if not excellent job securing the system as a whole. When this happens, security experts cringe because it tends to focus on the wrong areas when it comes to applying security resources in proportion to the importance of sensitive information and systems.
If you’d like to cast your vote in the survey on whether you agree that this kind of reporting is unwarranted click (HERE)