The directory of the Union des artistes (UDA), accessible to the public on the Internet, has been a veritable basket full of personal information for over a year.
Behind the official files at the address bottin.uda.ca, La Presse noted, with a simple click accessible to any Internet user, that one could easily find the home address, date of birth, email and the private telephone numbers of most of the approximately 14,000 Quebec artists, actors, musicians, dancers and entertainers who appear there.
Subsequent searches have confirmed, more than a hundred times, that this personal information was accurate.
Informed of this flaw early Wednesday morning, the UDA quickly corrected the situation. Around 12:30 p.m., La Presse was able to confirm that the sensitive information was no longer accessible.
“I don’t take this lightly: it’s important, it’s serious,” admitted Alexandre Curzi, director general of the UDA. What reassures me is that this is not banking information. »
It is since this new version of the site was put online, in April 2023, that this personal information has been accessible.
The president of this IT firm founded in Alma in 2010, Keyven Ferland, assures that security tests were nevertheless carried out, but never reported this error.
Essentially, he explained, this information should have been restricted to authorized users, not the general public. It only took a few minutes to close the gap.
“There is no bad intention there,” assures the president of the Web Shop. On the contrary: we have always aimed to respect the highest safety standards. »
Éric Parent, CEO of the firm Eva Technologies and cybersecurity expert, was able to consult the indiscreet version of the directory before it was corrected. He was stunned. “This is the first time I’ve seen something like this. This is 2000% wrong, this is not acceptable, there is nothing normal about this. »
The UDA directory contains precisely 13,912 artist files, which can be sorted according to a keyword using a search engine. The files that can then be consulted present public information such as the official photo, the artist’s agency with office contact details, specialties, and sometimes a curriculum vitae.
Before the patches, however, other hidden information could easily be revealed. All you had to do was ask for the web page architecture to be displayed, its “source code,” a command available in any browser (see the “What is source code?” capsule).
Important clarification, La Presse did not use any advanced IT expertise or hacking techniques to find this information.
It was journalism professor at the University of Quebec in Montreal Jean-Hugues Roy who made this discovery. For his course on data journalism, he was required to analyze the directory of the Union of Artists as part of a student’s work. It was by examining the source code of the artist files that he realized that hidden information appeared there. This source code often makes it possible to automate the collection of information from public websites, what is called “harvesting”.
“I’ve been collecting data for 12 years, I’ve never seen a case like this,” explains Professor Roy. I look at some websites giving a lot of information, but I didn’t expect to have so much. The company that made this site should never have let this personal information pass in the clear [unencrypted]. »
The UDA may have violated provisions of Law 25 regarding the protection of personal information, which came into force in September 2022. This law notably requires organizations to apply “the highest level of confidentiality, without any intervention from the person concerned “, and they “must obtain expressly formulated consent before using sensitive personal information for a purpose other than those for which it was collected.”
They must also notify the Commission for Access to Information (CAI) “and the persons concerned” of any confidentiality incident involving personal information that they hold.
Law 25 provides for a maximum administrative penalty of $10 million, or 2% of turnover.
At the CAI, we refuse to indicate whether a case like that in the UDA directory would constitute a violation of Law 25. At most, we have agreed to provide theoretical details around such files by email.
“Personal information is confidential,” one writes. From collection to destruction, personal information must be rigorously protected. »
The CAI, it is indicated, can carry out investigations following an anonymous complaint or on its own initiative.