Skip to main content

Digital Trends may earn a commission when you buy through links on our site. Why trust us?

This vaccine passport app data breach is a cautionary tale

A security blunder by proof-of-vaccination app Portpass provides a reminder that third-party apps may not protect your privacy and security. According to CBC News, Portpass exposed potentially hundreds of thousands of users’ personal information on its unsecured website.

After receiving a tip that the user profiles on the app’s website were accessible by members of the public, CBC verified the claim. While on the website, CBC was able to see users’ personal information, email addresses, blood types, birthdays, phone numbers, and photo identification, including driver’s licenses and passports.

Recommended Videos

This came after the company’s CEO, Zakir Hussein, denied that the app had security issues and “accused those who raised concerns about it of breaking the law.”

CBC gave Hussein and his company time to fix the lapse before publishing its article. The following morning when Hussein addressed the issue, he claimed that the breach only lasted for a few minutes, despite CBC reviewing the personal information for more than an hour —  after someone tipped them off. In light of this, it’s unclear how long the information was exposed.

Security problems expert saw coming

When CBC interviewed cybersecurity analyst Ritesh Kotah about the Portpass security problems, he shed some light on the issue.

“These were exactly the privacy and security concerns I’ve previously raised when it comes to third-party apps. You’ve gotta ask yourself, ‘Where’s the data housed? Who has access to it? Is it encrypted?’” Kotak said. He also addressed the risks to users whose information was exposed: “It opens them up to fraud, identity theft, and a whole other world of potential issues.”

But people do have to prove their vaccination status sometimes, and since there is no official proof-of-vaccination app for Alberta, Canada, residents, they get funneled toward third-party apps. More than 200,000 Canadians preregistered for Portpass by mid-June. Three months later, Portpass has more than 650,000 registered users, according to Hussein.

The Calgary Sports and Entertainment Corporation recommended Portpass to ticket-holders for games at Scotiabank Saddledome and McMahon Stadium. The recommendation has been removed, but in a Reddit post dated five days before CBC learned of the breach, one user warned against downloading the app. They pointed out that Portpass’ privacy policy didn’t guarantee adherence to Alberta’s Health Information Act or other federal legislation, stating only that they use the “highest security.” The user concluded: “Using this service and trusting them to properly protect your personal health care information would be a huge mistake.”

What now?

Users who fear their information may have been compromised should notify the Office of the Privacy Commissioner of Canada. According to IT World Canada, Alberta privacy commissioner’s office is in communication with Portpass as the company investigates the breach.

Sandra Stafford
Former Digital Trends Contributor
Sandra Stafford is a Mobile team writer. She has three years of experience writing about consumer technology. She writes…
Hacker claims to have hit Apple days after hacking AMD
The Apple logo is displayed at the Apple Store June 17, 2015 on Fifth Avenue in New York City

Data breaches happen all the time, but when the giants get hit, it's impossible not to wonder what kind of critical data may become exposed. Earlier this week, notorious cybercriminal Intelbroker reported that they managed to hack AMD. Now, they followed up with claims about hacking Apple, and went as far as to share some internal source code on a hacking forum.

As Apple has yet to comment, all we have to go off is the forum post, first shared by HackManac on X (formerly Twitter). In the post, Intelbroker states that Apple suffered a data breach that led to the exposure of the source code for some of its internal tools. The tools include AppleConnect-SSO, Apple-HWE-Confluence-Advanced. There's been no mention of any customer data being leaked, which is good news, but there could still be some impact on Apple if this proves to be true.

Read more
The best data recovery software for iPhone
Data on an iPhone next to a keyboard.

If you’ve been the unfortunate victim of a frozen iPhone, water-damaged device, or the dreaded screen of death, all is not lost. You can recover files, photos, app data, messages, and more using a data recovery app for iPhone.

With the following options, you can restore a small amount of content, specific items, or everything on your iPhone. Some of the apps even offer repair tools for fixing the issue that initially caused the data loss.
iMobie PhoneRescue

Read more
AT&T customers past and present impacted by huge data leak
An at&t office building.

AT&T has changed the account passcodes of millions of its customers after it confirmed a massive data breach that saw personal data leaked on the dark web.

AT&T said in a message on its website on Saturday that it was reaching out to 7.6 million current customers and 65.4 million former customers whose personal information had been compromised in a data leak involving “sensitive personal information” such as names, phone numbers, addresses, birth dates, AT&T account numbers and passcodes, and Social Security numbers.

Read more