A proof-of-vaccine app in Canada with more than 650,000 users was allegedly breached on Tuesday, leaving users’ personal data exposed.
The app, Portpass, allegedly left its users’ data, including driver’s licenses, email addresses, names, blood types, phone numbers and birthdays exposed by leaving its website unsecured, according to a report from the Canadian Broadcast Corporation.
CBC verified that the personal information could be easily viewed by looking at dozens of peoples’ profiles after receiving a tip the data could be accessed by members of the public, according to the report. The information wasn’t encrypted and could be seen “in plain text.”
In an interview with Newsweek Tuesday evening, the company’s CEO, Zakir Hussein, dismissed the claims, calling them “false.” He said that hundreds of thousands of people were not on the server at the time, and estimated that it may have been only 10 to 15 people. After users are verified, they are taken off the server, and their information would not be able to be accessed, he added.
Hussein said that the information was not in plain sight and that the person who accessed the information did so “maliciously.”
He criticized those who were trying to “shame and crucify” the company, saying that he is working to do good amid the COVID-19 pandemic.
“We’re trying to do good to separate the divide between the vaccinated and unvaccinated,” he said.
As of Tuesday evening, Hussein was waiting for two different security auditors to identify any potential issues. He said they are looking at where any possible holes in the system need to be fixed, and how they can be eradicated.
While the system is being reviewed, the server is down, so no one’s information would be accessible, he said.
“We’re trying to make it right and look forward to working to fix things daily,” he said.
He told CBC the breach only lasted for a few minutes, though the news organization reviewed the personal information for more than one hour. It is unknown how long the information was exposed before they received the tip.
Cybersecurity analyst Ritesh Kotak told CBC he was not surprised to hear their information was exposed, saying he has previously raised similar concerns regarding third-party apps.
“You’ve gotta ask yourself, ‘Where’s the data housed? Who has access to it? Is it encrypted?’…If this gets out to the wrong individuals it opens them up to fraud, identity theft and a whole other world of potential issues,” Kotak said.
The private company is based in Calgary, Alberta, which does not have an official vaccine passport app, unlike many municipalities. Other provinces, including Quebec, have official apps.
Privacy experts have previously raised concerns about COVID-19 vaccine apps.
Newsweek reached out to Portpass for comment Tuesday evening but had not heard back by publication.