[News] CSEC's acceptable proof of vaccination for Saddledome games

[Wormius]

Quote:

Originally Posted by rohara66

That was my question.

You could order a birth certificate, which could then be pretty detrimental if they don’t mail it only to the address on the DL.

[kermitology]

It doesn't really matter what you can do with the information, there is a legal requirement for corporate entities to properly protect personally identifying information (PII). This port pass application absolutely failed to adhere to the PIPEDA act, and should be fined out of existence. I'd even hold the Flames liable for encouraging fans to use the app as their preferred method to verify vaccination status as they failed to properly do their due diligence.

[getbak]

Quote:

Originally Posted by Wormius

You could order a birth certificate, which could then be pretty detrimental if they don’t mail it only to the address on the DL.

You can't order a birth certificate without presenting the original proof of ID. Photos and photocopies aren't acceptable.

[Number 39]

I work in IT and I guess what I don't understand is why CSEC made the choice to work with no name developer for this. Given the type of personal information in question it would have made sense to partner w a big IT firm with experience with data security etc. I realize that would have required a different level of investment but perhaps partner with the Oilers to share the cost and mitigate the risks. The whole thing is strange.

[rohara66]

Quote:

Originally Posted by kermitology

It doesn't really matter what you can do with the information, there is a legal requirement for corporate entities to properly protect personally identifying information (PII). This port pass application absolutely failed to adhere to the PIPEDA act, and should be fined out of existence. I'd even hold the Flames liable for encouraging fans to use the app as their preferred method to verify vaccination status as they failed to properly do their due diligence.

Well it does sorta matter. My dad has no idea what to do now that his DL may have been compromised and I'm trying to figure out the potential implications.



At first I didn't think it was that big of a deal but I dont really know. Didn't bars scan/photograph DL's back in the day to track gang activity and fighting and banning people? I doubt their records were that secure either and we all did that to get in.

[Wormius]

Quote:

Originally Posted by getbak

You can't order a birth certificate without presenting the original proof of ID. Photos and photocopies aren't acceptable.

Isn’t that only Alberta birth certificates and ordered in Alberta?

[tvp2003]

Quote:

Originally Posted by rohara66

Well it does sorta matter. My dad has no idea what to do now that his DL may have been compromised and I'm trying to figure out the potential implications.



At first I didn't think it was that big of a deal but I dont really know. Didn't bars scan/photograph DL's back in the day to track gang activity and fighting and banning people? I doubt their records were that secure either and we all did that to get in.

I'm not sure how helpful this is as I don't have any firsthand experience, but I came across this link from the Edmonton Police Service: https://www.edmontonpolice.ca/CrimeP...rauds/Identity

It included this note:

Quote:

If you lost or sent a picture of your driver’s license in an email or text message to an unknown person call Service Alberta (780-310-0000 if you're in Alberta, or 1-780-427-7013 toll free) to report the details to have it replaced.

Others might be able to chime in with more specific information.

[Passe La Puck]

Quote:

Originally Posted by Beatle17

Just get your Alberta Health Passport and your drivers license and you will have no issue, or wait until the Government comes out with their electronic passport. Never trust a 3rd party for private information.

The best part of the official Government of Alberta Passport (or whatever pseudonym they settled on to avoid angering their "base") is that it also lets you enter whatever anonymous information you choose!

[Firebot]

Sarah calling out other media sources who are clearly failing to report on this correctly

https://twitter.com/user/status/1443088286768009217

Let's be very clear here. Sarah didn't use some 'hack' for the tip to get access.

Everyone's personal info who uploaded to PortPass was allegedly readily available on a non https encrypted and unprotected directory available before it was taken down (that would be blocked from entry and is web design 101 if the guy was...um...an actual tech developer).

This is one of the very basic things you are supposed to know if you are designing a website (most website builders will do this automatically for you)

https://www.wpbeginner.com/wp-tutori...ing-wordpress/

The fact that the 'ceo' is claiming that going to an unprotected directory of the portal website is hacking, breaking the law and malicious should tell you all you need to know about his technical expertise. This personal info was fully and publicly available to anyone with any remote knowledge of website design.

[kermitology]

Quote:

Originally Posted by rohara66

Well it does sorta matter. My dad has no idea what to do now that his DL may have been compromised and I'm trying to figure out the potential implications.



At first I didn't think it was that big of a deal but I dont really know. Didn't bars scan/photograph DL's back in the day to track gang activity and fighting and banning people? I doubt their records were that secure either and we all did that to get in.

I think you're misunderstanding my point here. There are a lot of things that you can do with it, I was highlighting that there is a legal requirement under the PIPEDA act to protect that information which this company failed to do. The Flames stating they're "working with the vendor" is utterly unacceptable as this vendor has demonstrated a clear lack of care and attention to information security. They've ignored BASIC levels of security and data protection. The Flames should NOT be working with them at all anymore. There is no coming back from this for PortPass.

[Ashasx]

i would like my favorite team to stop doing something stupid for five minutes

[photon]

Quote:

Originally Posted by Number 39

I work in IT and I guess what I don't understand is why CSEC made the choice to work with no name developer for this. Given the type of personal information in question it would have made sense to partner w a big IT firm with experience with data security etc. I realize that would have required a different level of investment but perhaps partner with the Oilers to share the cost and mitigate the risks. The whole thing is strange.

You should know exactly how this kind of thing happens. VP sees bullet points on a presentation and that's how they decide.

[Cecil Terwilliger]

Yeah this is a shocking disregard for the legally protected privacy of their customers that the Flames clearly don’t give a #### about.

The fact they didn’t drop this app provider the second this came out is a massive red flag for anyone who deals with CSEC, which is a #### ton of people.

[rohara66]

Quote:

Originally Posted by kermitology

I think you're misunderstanding my point here. There are a lot of things that you can do with it, I was highlighting that there is a legal requirement under the PIPEDA act to protect that information which this company failed to do. The Flames stating they're "working with the vendor" is utterly unacceptable as this vendor has demonstrated a clear lack of care and attention to information security. They've ignored BASIC levels of security and data protection. The Flames should NOT be working with them at all anymore. There is no coming back from this for PortPass.

I asked what could people do with the DL information.... and you said 'it doesn't matter' and then explained PIPEDA. So perhaps the misunderstanding goes both ways.

I dont care about PIPEDA and whats going to happen to the app developer. I just want to know what risk my dad might have with his DL information being out there potentially.

[getbak]

Quote:

Originally Posted by Wormius

Isn’t that only Alberta birth certificates and ordered in Alberta?

Yeah, I don't know about other provinces, but in Alberta you need to present your original government-issued ID. If you're out of province and need to get your Alberta birth certificate, you need to get your original government-issued ID notarized before sending in your request form.

[Firebot]

Quote:

Originally Posted by rohara66

I asked what could people do with the DL information.... and you said 'it doesn't matter' and then explained PIPEDA. So perhaps the misunderstanding goes both ways.

I dont care about PIPEDA and whats going to happen to the app developer. I just want to know what risk my dad might have with his DL information being out there potentially.

Typical advice if your driver's license is stolen.

https://www.experian.com/blogs/ask-e...ber-is-stolen/

In this case, this was publicly available for anyone and everyone that had knowledge on how to get it. Whether that is going to be used malicious, no one can say, but that is why the PIPEDA act exists to prevent such gross negligence.

[Inglewood Jack]

what are the chances that a CBC reporter and their source are the first/only people to grab the unsecured data? I'm going to assume that by the time a vulnerability like this has made front page news, the bad guys have already smashed and grabbed everything. or in this case, calmly walked through the front door that was helpfully propped open with a doorstop.

[Camronius]

Quote:

Originally Posted by Number 39

I work in IT and I guess what I don't understand is why CSEC made the choice to work with no name developer for this. Given the type of personal information in question it would have made sense to partner w a big IT firm with experience with data security etc. I realize that would have required a different level of investment but perhaps partner with the Oilers to share the cost and mitigate the risks. The whole thing is strange.

Some similar thoughts. I got part way through the sign-up process and then red flags were going up everywhere. I browsed quickly through this thread and saw there was lorem ipsum on their FAQ and realized CSEC made a really uneducated decision on something pretty critical. There has to be an IT guy at CSEC somewhere that is saying I told you so or is wondering why they weren't included in the decision...

[Bring_Back_Shantz]

What really bothers me about this is the complete silence from CSEC.
I emailed my season ticket rep and got pretty much the same canned response about how they are doing 2 audits, but no follow up communication to season ticket holders about this.

Pretty bad look for CSEC in all of this, and they are handling it really poorly.

[Firebot]

Quote:

Originally Posted by PepsiFree

Is that true? I recently switched banks and in the process signed up for a few (no fee banking accounts, just to try out the service before deciding which I would use as my primary).

All of them required SIN.

https://www.scotiabank.com/ca/en/per...in-canada.html

Quote:

There are three different ways that lead to an open bank account in Canada, and you can do so without a Social Insurance Number (SIN).

SIN is only required for interest earning accounts (basically only because the taxman is involved)