Calgary police investigate data breach involving vaccine verification app PORTpass
Calgary police say its cybersecurity team is investigating after the Calgary-based vaccine verification app PORTpass left some users' data unsecured and available to be viewed by the public last week.
The company pulled it from the Apple and Google Play app stores and its website says the "team at PORTpass is currently updating."
A news tip sent to CTV News and other media outlets last week pointed out a security flaw that allowed anyone to access profile information of PORTpass users.
The pages displayed the name, email address, blood type, postal code, date of birth and phone number of registered PORTpass users. The page also contained a link to the photo identification submitted by a user, including their driver's licence or passport.
The company's online web portal was pulled down the evening of Sept. 27 and is not yet back up and running.
It is not known for how long users' data was able to be viewed publicly and how many accounts were compromised, though PORTpass CEO Zakir Hussein said he believed fewer than 500 accounts were impacted.
CTV News has not been able to verify exactly how many accounts had data that was publicly accessible.
Hussein told CTV News on Wednesday that PORTpass informed Calgary police of the potential data breach and he was aware of the investigation.
The CEO said the company plans to release a statement about what led to the data breach.
"Hopefully people can, you know, realize what just happened here. It was crazy," he said. Further information will be in the company statement, he added.
PORTpass was initially recommended by the Calgary Sports and Entertainment Corporation (CSEC) to be used at its venues to allow for easier entry into games. CSEC, which owns the Flames and Stampeders, has since updated its proof of vaccination guidelines online and is encouraging fans to bring paper copies of their vaccination records instead.
The Calgary Police Service is asking anyone who believes their data was compromised to contact the non-emergency line at 403-266-1234.