Privacy Reports

Decision Information

PC10-36

Collection Privacy Reports
Date 2010-10-05
File Numbers PC10-36, PC10-42, PI10-3
Type Privacy Complaint Report
Subjects Personal Information (Definition)
Applicable Legislation FIPPA; FIPPA - 2(1); FIPPA - 42; FIPPA - Regulation 460 s. 4(1)
Summary:



• Fraudulent driver's licence address changes on the ServiceOntario website.

• Section 2(1) (personal information) The records contained personal information.

• Section 42 (disclosure) The disclosure of the personal information was not in accordance with the Act.

• Section 4(1) of O.R. 460 (Security) MGS did not have reasonable security measures in place.

• Recommendations:


1. Continue to develop long-term solutions for online authentication.

2. Develop measures to better detect and report on suspicious changes of address.

Decision Content

 

 

 

 


PRIVACY COMPLAINT REPORT

 

 

PRIVACY COMPLAINT NO. PC10-36, PC10-42, and PI10-3

 

 

Ministry of Government Services

 

 

 

 

 

 

 

 


PRIVACY COMPLAINT REPORT

 

 

 

PRIVACY COMPLAINT NO.                   PC10-36, PC10-42, and PI10-3

 

 

 

INVESTIGATOR:                                       Mark Ratner

 

 

 

INSTITUTION:                                            Ministry of Government Services

 

 

 

SUMMARY OF COMPLAINT:

 

The Office of the Information and Privacy Commissioner/Ontario (IPC) received a privacy complaint from an individual (the complainant) under the Freedom of Information and Protection of Privacy Act (the Act). The complainant advised that he had become aware that the address associated with his driver’s licence and vehicle registration had been fraudulently changed to an incorrect address. In response to this complaint, the IPC opened privacy complaint file PC10-36 and commenced an investigation.

 

The complainant explained that he did not receive the application to renew the sticker on his licence plate, which expired on his birthday. He advised that he went to a ServiceOntario Driver and Vehicle Licence Issuing Office for the purpose of renewing the sticker on his licence plate.

 

The complainant provided his driver’s licence and vehicle registration to a staff person at the Driver and Vehicle Licence Issuing Office, who looked up his driver’s licence information. The staff person advised that the address on his driver’s licence had been changed approximately six months’ prior, and that the change of address had automatically changed the address associated with his vehicle registration.

 

The complainant explained to the staff person that the new address was not his correct address, and the staff person stated that she recognized the incorrect address as three other people had also had their driver’s licence address changed to the same incorrect address.

 

The complainant stated that his address was changed back to his correct address and a new driver’s licence was mailed to him.

 

The next day, the complainant went to the incorrect address that had been wrongly associated with his driver’s licence and noted that the address belonged to an abandoned building.

 

The complainant expressed concern that driver’s licence addresses could be changed over the internet by entering only the driver’s licence number and associated postal code. The complainant noted that to his knowledge, there were no additional measures in place to authenticate that the person changing the address on the online system was the valid licence-holder.

 

After filing the complaint, the complainant called the IPC to advise that he had received a phone call from a credit bureau indicating that an individual had commenced a credit application in his name, and had provided a photocopy of his driver’s licence, as well as a photocopy of a Social Insurance Number (SIN) card as supporting documentation.

 

The complainant explained that as a result of this incident, he wanted to have his driver’s licence number changed to a different number.

 

MTO investigated the circumstances surrounding the change to the complainant’s address and confirmed that it had been changed via an online transaction on the ServiceOntario website, which triggered the automatic mailing of a driver’s licence to the false address.  ServiceOntario is an arm of the Ministry of Government Services (MGS.)  It delivers many services on behalf of the Ontario government, including driver and vehicle licensing services and address changes for driver’s licences, Health Cards, and Outdoor cards.

 

Subsequent to receiving the original complaint, the IPC was contacted by a second individual who explained that the address for his driver’s licence had been changed online without his knowledge via the ServiceOntario website. This second individual indicated that he became aware of this address change when he was contacted by the fraud department of a credit bureau who advised him that someone had been using his identity to submit a large credit application. Based on this contact, the IPC opened an additional file, privacy complaint file PC10-42.

 

The IPC was then contacted by a third individual who provided details regarding circumstances that were similar to two cases described above. This third individual advised that a credit application had been filed in his name, which included a photocopy of his driver’s licence with an incorrect address, his SIN, and information pertaining to his employer. As a result of this contact, the IPC opened privacy complaint file PI10-3.

 

Background information provided by MGS

 

In response to this privacy investigation, MGS provided the following background information to the IPC.

 

MGS confirmed that the driver’s licence address change function available on the ServiceOntario website allowed individuals to change the address corresponding with their driver’s licence and vehicle registration by inputting their driver’s licence number and their current postal code. Once this information had been inputted, users were asked to provide a new address, which would result in a new driver’s licence being sent to the address provided.

 

As a result of the improper changes of address reported to the IPC, MGS confirmed that it had commenced an investigation into the improper address changes that have taken place through the ServiceOntario website. To date, MGS has reported that it has uncovered 93 confirmed cases of fraudulent address changes that resulted in the improper disclosure of driver’s licences, as well as two additional address changes that appeared to be suspicious. In all of these cases, the addresses of licence-holders had been changed to clubs, vacant lots, or condemned houses. As a result of these investigations, MGS took the proper step of voluntarily shutting down the address change function available on the ServiceOntario website. In addition to the confirmed cases of fraudulent address changes, MGS had identified one address change transaction initially thought to be suspicious that was ultimately discovered to be a legitimate address change. ServiceOntario provided our office with assurances that the online address change function would not be reinstated until a suitable level of authentication has been put in place to prevent fraudulent activities. I applaud ServiceOntario for taking this necessary step.

 

MGS has also explained that in at least three of the cases in question, the affected individuals had had their addresses changed repeatedly. In these cases, the individual in question had noticed an incorrect address, and had it changed back, only to discover that it had been changed to an incorrect address again. MGS further advised that its investigation of fraudulent online transactions was continuing and that it was possible that additional improper address changes may be uncovered.

 

MGS has also advised that it has become aware that invalid or expired driver’s licences may function in the ServiceOntario kiosks, which would permit individuals to use invalid driver’s licences to change the address corresponding to a given licence and registration to a different address. As a result of this fact, MGS decided to shut down the driver’s licence change of address function available through the ServiceOntario kiosks.

 

Remedial steps taken by MGS

 

As noted above, once MGS became aware that multiple individuals had been subject to improper address changes through the ServiceOntario website, it decided to take down the online driver’s licence address change function, which took place on July 30, 2010.

 

MGS also decided to temporarily disable the address change function for driver’s licences available through the ServiceOntario kiosks on August 12, 2010.

 

MGS advised the IPC that it was looking at options for improving authentication and security for the driver’s licence address change function available on both the ServiceOntario website, and the ServiceOntario kiosks. MGS stated that both systems would remain shut down until the improvements had been implemented.

 

MGS further noted that it would be notifying the individuals who were the subject of the suspicious online address changes. Where MGS had current phone numbers, individuals were contacted by phone. Where no current phone numbers were available, letters were sent to the previous address requesting that the individual in question contact ServiceOntario. These letters stated that the recipient’s address had recently been changed online, and that ServiceOntario would like to verify this transaction. Once contact had been established and MGS was able to confirm that the transaction was, in fact, fraudulent, MGS sent those individuals information on how to protect themselves against identity theft. MGS further advised that new driver’s licences would be sent to individuals once the fraudulent address change had been confirmed.

 

As noted above, MGS has advised that it had identified a total of 96 suspicious address changes that have resulted in driver’s licences being issued. MGS has endeavoured to notify all of the affected individuals. To date, MGS has confirmed that 93 of these transactions did result in a driver’s licence being sent to an improper address and one of these suspicious transactions turned out to be legitimate. The remaining 2 individuals have not responded to the letter from MGS, and MGS has therefore not been able to conclusively determine whether these two address change transactions were legitimate.

 

MGS advised that it has assigned an investigator to interview individuals who had been subject to the improper address changes. The purpose of this investigation is to determine common links between individuals who were subject to this potential identity fraud. MGS further advised that they were working in partnership with a local police service to identify the perpetrators of the identity theft.

 

We commend MGS for its decision to shut down the address change function for driver’s licences available from both the ServiceOntario website as well as the ServiceOntario kiosks, and for its prompt response to this incident, including contacting affected individuals. We further note that MGS has co-operated fully with the IPC over the course of this investigation.

 

DISCUSSION:

 

The following issues were identified as arising from the investigation:

 

ISSUE A:       Is the information on the Ontario Driver’s Licence “personal information” as defined in section 2(1) of the Act?

 

The information that appears on the Ontario driver’s licence includes the name of the licence holder, his or her address, date of birth, gender, and height. In addition, the Ontario driver’s licence contains a document control number and the driver’s licence number.

 

Section 2(1) of the Act states, in part:

 

“personal information” means recorded information about an identifiable individual, including,

 

(a) information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,

 

 

(c) any identifying number, symbol or other particular assigned to the individual,

 

(d) the address, telephone number, fingerprints or blood type of the individual,

 

 

(h)  the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual [emphasis added].

 

Based on the definition of personal information contained in section 2(1) of the Act, I am satisfied that the information contained on the Ontario driver’s licence clearly qualifies as personal information under the Act.  The Ministry does not dispute this conclusion.

 

ISSUE B:       Was the disclosure of the information “personal information” in accordance with section 42 of the Act?

 

The personal information that has been disclosed is the personal information on the driver’s licences sent to wrong addresses as a result of improper address changes on the ServiceOntario website.

 

Section 42 of the Act sets out a number of circumstances under which an institution is permitted to disclose personal information. None of the circumstances are present in this case because the disclosure that took place (provision of driver’s licences) occurred as a result of an improper address change.

 

Accordingly, I conclude that the provision of the driver’s licences to the incorrect addresses was not in accordance with section 42 the Act.  Again, the Ministry does not dispute this conclusion.

 

ISSUE C:       Did MGS implement reasonable measures to prevent unauthorized access to records as required under section 4(1) of Ontario Regulation 460, made pursuant to the Act.

 

Section 4(1) of Ontario Regulation 460 states:

 

Every head shall ensure that reasonable measures to prevent unauthorized access to the records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.

 

This provision requires that institutions take steps to ensure that reasonable measures are in place to prevent unauthorized access to records that are in its custody. In this case, the records in question are the Ontario driver’s licences, which contain the personal information of individual licence holders.

 

As noted above, at the time of the incident, in order to authenticate that the individual requesting an address change was the actual licence holder, the ServiceOntario website required that individuals enter only their driver’s licence number as well as their current postal code, both of which appear on the driver’s licence.

 

Once this information had been provided, users were asked to provide their new mailing address. Once the new mailing address had been entered, a new driver’s licence, with the updated address would be sent to the address provided. Clearly, any individual with access to the driver’s licence, or a copy, would be able to effect a change of address.

 

In my view, the measures in place on the ServiceOntario website that were used to authenticate that an individual changing the mailing address associated with a driver’s licence was the actual licence holder were insufficient, and do not constitute “reasonable measures to prevent unauthorized access to records” as required under section 4(1) of Ontario Regulation 460.

 

By entering a valid driver’s licence number and a corresponding postal code, a dishonest individual would have the ability to redirect a driver’s licence to an address for the purpose of committing identity theft.  As is now clear, this opportunity has been seized upon by dishonest individuals.

 

The risk of identity theft is exacerbated by the fact that individuals’ driver’s licence information may be available in a number of places. Individuals may be required to provide their driver’s licence number, or a photocopy of their driver’s licence, in a variety of circumstances.  Certain information, including driver’s licence numbers, can become available through public MTO searches. Similarly, an individual’s postal code is information that can be easily obtained through online directories. It is also notable that both postal codes and driver’s licence numbers appear on the front of the driver’s licence itself. In my view, the information required to access the change of address function should not be available on the driver’s licence itself, or through other publicly available sources.  By verifying the identity of a change of address requester with only the information visible on the driver’s licence, I am satisfied that the Ministry did not have a suitably robust process of authentication, particularly given the potentially serious impact of fraudulently issued licences.

 

On September 5, 2010, MGS introduced interim measures to permit the ServiceOntario website to once again allow individuals to change their driver’s licence address online. These measures included requiring the provision of information related to the individual’s Health Card in order to authenticate the identity of the driver’s licence holder. On September 26, 2010, MGS introduced additional measures, which now entail that individuals are required to successfully change the address for their Health Card prior to changing the address corresponding to their driver’s licence in one unified transaction. Under this system, information from the individual’s Health Card is used to change the address corresponding to the individual’s Health Card. Only when the Health Card change of address has been successfully validated, does the system permit the change of address for the individual’s driver licence.

 

I am satisfied that these measures contain sufficient safeguards to allow the ServiceOntario website to permit online driver’s licence address changes. However, because these measures may not be available to every individual seeking to change their driver’s licence address, I will be recommending below that longer term solutions be examined to complement the existing authentication measures.

 

In addition, as noted above, at the time of the incident, the address change function for driver’s licences available through the ServiceOntario kiosks could only be accessed with a physical driver’s licence. However, testing by MGS revealed that the provision of expired or invalid driver’s licences would permit access to the address-change function at the kiosks. As a result, invalid driver’s licences that had been fraudulently obtained could be used to make further address changes even after the fraud had been discovered.

 

On September 5, 2010, the address change function on the ServiceOntario kiosks also became operational once again. MGS advised that address changes could now only take place after an individual has presented a valid driver’s licence at a kiosk.

 

I also have concerns with respect to the measures in place to detect, and report on, suspicious online transactions. As noted above, MGS reported that at least three individuals had had their driver’s licence address changed, and then corrected on multiple occasions and that this fact had not been reported internally.

 

I will therefore be recommending that MGS create and implement protocols to detect, and report on suspicious address changes to individuals’ driver’s licences that have been facilitated through the ServiceOntario website.

 

Based on all of the above, I conclude that MGS did not have reasonable measures in place to prevent unauthorized access to records as required under section 4(1) of Ontario Regulation 460 at the time that the improper disclosures of personal information were discovered.

 

CONCLUSION:

 

I have reached the following conclusions based on the results of my investigations:

 

A.                The information in question qualifies as “personal information” under section 2(1) of the Act.

 

B.                 The disclosure of the personal information was not in accordance with section 42 of the Act.

 

C.                 MGS did not have reasonable measures in place to prevent unauthorized access to records as required under section 4(1) of Ontario Regulation 460.

 

D.                The measures introduced to date contain sufficient authentication safeguards.

 

RECOMMENDATIONS:

 

1.                  I recommend that MGS continue to develop longer-term options for improving security respecting the online change of address function for driver’s licences available on the ServiceOntario website.

 

2.                  I recommend that MGS develop measures to better detect and report on suspicious changes of address to individuals’ driver’s licences. MGS should provide an explanation of these measures to the IPC.

 

MGS has implemented solutions that will permit both the ServiceOntario website and the kiosks to once again permit driver’s licence address changes with robust authentication measures in place. As noted above, I am satisfied that the solutions introduced to date contain sufficient safeguards to allow these systems to become operational once again. The IPC looks forward to continue to work cooperatively with MGS on further enhancements made to the online address change function on the ServiceOntario website in the future.

 

By January 5, 2011, the institution should provide the Office of the Information and Privacy Commissioner with proof of compliance with the above recommendations.

 

 

 

 

 

Original signed by:                                                                              October 5, 2010

Mark Ratner

Investigator

 

 

 

 

 You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.