The directory of the Union of Artists (UDA), accessible to the public on the internet, has been a veritable empty basket of personal information for more than a year.
Behind the official files at bottin.uda.ca, The Press found, with a simple click within the reach of any Internet user, that one could easily find the home address, date of birth, email and private telephone number of most of the approximately 14,000 artists, actors , musicians, dancers and Quebec entertainers who appear there.
Subsequent searches have confirmed, on more than a hundred occasions, that this personal information was accurate.
Informed of this flaw early Wednesday morning, the UDA quickly corrected the situation. Around 12:30 p.m., The Press was able to confirm that the sensitive information was no longer accessible.
“I don’t take this lightly: it’s important, it’s serious,” admitted Alexandre Curzi, director general of the UDA. What reassures me is that this is not banking information. »
There is no indication that this information could have been used for malicious purposes, says Mr. Curzi. He mentions a “human error” at the firm responsible for redesigning the site from 2022, the Web Shop.
It is since this new version of the site was put online, in April 2023, that this personal information has been accessible.
“No bad intention”
The president of this IT firm founded in Alma in 2010, Keyven Ferland, assures that security tests were nevertheless carried out, but never reported this error.
Essentially, he explained, this information should have been restricted to authorized users, not the general public. It only took a few minutes to close the gap.
“There is no bad intention in that,” assures the president of the Web Shop. On the contrary: we have always had the objective of respecting the highest safety standards. »
Éric Parent, CEO of the firm Eva Technologies and cybersecurity expert, was able to consult the indiscreet version of the directory before it was corrected. He was stunned. “This is the first time I’ve seen something like this. This is 2000% wrong, this is not acceptable, there is nothing normal about it. »
Poorly hidden in code
The UDA directory contains precisely 13,912 artist files, which can be sorted according to a keyword using a search engine. The files that can then be consulted present public information such as the official photo, the artist’s agency with office contact details, specialties, and sometimes a curriculum vitae.
Before the patches, however, other hidden information could easily be revealed. All you had to do was request the display of the architecture of the web page, its “source code”, a command available in any browser (see capsule “What is source code?”).
By searching by keyword in this code, we found, without encryption, the private email of the artist, sometimes the address of his residence and his telephone number. All the cards also included, in the code, the date of birth of the artist.
Important precision, The Press did not use any advanced computer expertise or hacking techniques to find this information.
It was journalism professor at the University of Quebec in Montreal Jean-Hugues Roy who made this discovery. For his course on data journalism, he was required to analyze the directory of the Union of Artists as part of a student’s work. It was by examining the source code of the artist files that he realized that hidden information appeared there. This source code often makes it possible to automate the collection of information from public websites, what is called “harvesting”.
“I’ve been collecting data for 12 years, I’ve never seen a case like this,” explains Professor Roy. I look at some websites giving a lot of information, but I didn’t expect to have so much. The company that made this site should never have let this personal information pass unencrypted. [non cryptées]. »
Law 25 and sanctions
The UDA may have violated the provisions of Law 25 regarding the protection of personal information, which came into force in September 2022. This law notably requires organizations to apply “the highest level of confidentiality, without any intervention from the person concerned », and they “must obtain expressly formulated consent before using sensitive personal information for a purpose other than those for which it was collected”.
They must also notify the Commission for Access to Information (CAI) “and the persons concerned” of any confidentiality incident involving personal information they hold.
Law 25 provides for a maximum administrative penalty of $10 million, or 2% of turnover.
At the CAI, we refuse to indicate whether a case like that in the UDA directory would constitute a violation of law 25. At most we have agreed to give theoretical details around such files by email.
“Personal information is confidential,” we write. From collection to destruction, personal information must be rigorously protected. »
The CAI, it is indicated, can carry out investigations following an anonymous complaint or on its own initiative.
What is source code?
The source code is the set of computer commands which, read by a browser such as Safari, Chrome or Edge, will allow the readable display of a web page. The source code indicates, for example, the text, photos and hyperlinks that will appear to the Internet user. All browsers have a command allowing, from what is publicly displayed, to access this code.
In the case of the UDA directory, tons of personal information were hidden there, more precisely on line 108. You can find, for example, the date of birth of the artist simply by searching for the keyword “birthday”. By searching for the @ character, several email addresses can be found, most official and public, but sometimes personal.
All you had to do was search based on area codes like 514 or 450 to find the artist’s home phone number. Finally, more worryingly, searching for the expression “street_line” gave in the majority of cases an address that was not that of the agency. Verification made, in around twenty examples, it was the residence of the artist.