New passport processing system exposed to security gaps, audit finds

The federal department that processes Canadian passports didn't take proper security precautions when it implemented a new system for issuing the travel documents, according to an audit of the program.

Program was designed to be secure, cost-effective alternative to outdated system

An internal audit found that passport processing system was implemented without adequate security precautions. Immigration, Refugees and Citizenship Canada has suspended use of the program for passports. (Tom Hanson/Canadian Press)

The federal department that processes Canadian passports didn't take proper security precautions when it implemented a new system for issuing the travel documents, according to an audit of the program.

An internal review of the Global Case Management Program found the project was "not sufficiently structured and did not include a plan for security requirements." 

"Further improvement is required to ensure an effective, efficient and secure integration," the report concluded.

The GCMS was part of the $101-million passport program modernization initiative established after authority was moved from Foreign Affairs (now called Global Affairs) to Citizenship and Immigration (now called Immigration, Refugees and Citizenship) in 2013. The goal was to build capacity and security features for a cost-effective alternative that would eventually process online applications.

Identified risks

The audit, which was completed in February 2016 and quietly posted to the departmental website a few months later, said IRCC leveraged expertise from industry and other federal departments and established several oversight mechanisms to track key project areas. But identified risks were not consistently monitored and addressed, the report said.

It also found there was no evidence that the information technology security plan was being followed, and that key security measures were missing, including a preliminary threat- and risk-assessment.

One year ago, the department suspended its use of a new system to process passport applications after CBC News reported on widespread glitches with the program.

The department said it was "pausing" the processing of passports through the GCMS in order to incorporate "lessons learned" during the testing phase.

No passports are currently being issued through the GCMS, but the department confirmed that refugee travel documents have been processed through the system since fall 2015.

At least 1,500 Canadian passports had been produced under a flawed new system that opened the door to fraud and tampering, according to documents obtained by CBC/Radio-Canada.

Internal records revealed the processing program was rushed into operation on May 9, despite warnings from senior officials that it was not ready and could present new security risks.

The department insisted that no passports have been issued with security gaps and that at no point had the integrity or security of the passport issuance been compromised.

Since the launch of the new system, officials had been scrambling to fix hundreds of glitches and to seal security gaps. Weeks after the new process was brought on line, there were calls to stop production.

Recommendations ignored

Those recommendations were ignored, and the passports continued to be issued in the first phase of production under the new system, designed to enhance security and integrate with other global programs. 

Numerous reports obtained by CBC/Radio Canada showed that during a period of several weeks, it was possible for employees to alter the photo on a passport after it had been approved. There were also numerous reports of discrepancies between information contained in the database and what actually appeared on a passport.

In some cases, information disappeared from the system, making it difficult to verify if the applicant had used questionable guarantors or had made repeated claims of lost or stolen passports in the past.

That information acts as a safeguard to flag potential problems with applications.

 Management accepted all six recommendations stemming from the audit, which ranged from medium to high risk. One plank of the "action plan" was to secure spending authorities to advance the project to the next phase.