- News Release
EDMONTON, AB — A new report released today by the Auditor General of Alberta found that while the government has processes to manage users and provide secure access to its online Alberta.ca Account, not all processes were effective and can be improved.
“There are over 3.7 million personal and approximately 75,000 business Alberta.ca Accounts that can access 70 government online programs, services, and products using a single username and password,” said Auditor General Doug Wylie. “Albertans should be confident that the department keeps their information safe and secure when they access government online programs through their Alberta.ca Account,” said Wylie.
The Auditor General report found that the Department of Technology and Innovation (responsible for the Alberta.ca Account):
- had automated controls for identity proofing and account management that sometimes failed, and the department didn’t detect the control failures
- should strengthen its encryption controls
- had effective processes to authenticate users and manage credentials
- had ineffective processes for adding programs and setting and enforcing governance standards
- does not comprehensively monitor all systems supporting the Alberta.ca Account
The Auditor General made four recommendations for the department to test automated controls; strengthen data encryption controls; improve program onboarding and governance practices; and enhance monitoring of systems.
“Cybersecurity incidents and systems errors could expose confidential data and cause system failures, making the Alberta.ca Account and the government programs and services that use it unavailable,” said Wylie. “We have identified areas where controls can be improved to better safeguard and manage user information and systems in an environment where access to online services continues to grow.”
Alberta.ca Account (formerly known as My Alberta Digital ID) is a digital account managed by the Department of Technology and Innovation. Since 2015, Alberta.ca Account (Personal or Business) lets users register and manage their personal or business accounts. In 2017, the department introduced a process for users of personal accounts to verify their information, including name, mailing address, date of birth, and gender, by cross-referencing it with data from Alberta’s Motor Vehicle System.
The Alberta.ca Account Performance Audit report is available here.
-30-
NOTE: Please see the following Summary of Report Findings for additional information.
Appointed under Alberta’s Auditor General Act, the Auditor General is the legislated auditor of the Consolidated Financial Statements of the Province of Alberta and most provincial agencies, boards, commissions, and regulated funds. The work of the office improves performance and promotes accountability within government by making recommendations that can result in better outcomes, better services, and better programs for Albertans.
For more information, please contact:
Cheryl Schneider, Executive Director, Engagement and Communications
Mobile: 780.399.0554 | Email: cschneider@oag.ab.ca
SUMMARY OF REPORT FINDINGS
Enrollment and Identity Proofing (p. 4)
Key findings
The department:
- uses automated processes to consistently enroll users and obtain their consent (p. 4)
- transmits identity information from Motor Vehicle System to Alberta.ca Account securely (p. 4)
- had automated controls for identity proofing and account management that sometimes failed, and the department didn’t detect the control failures (p. 5)
- should strengthen its controls to encrypt some of its data (p. 5)
Recommendation
We recommend that the Department of Technology and Innovation periodically test its automated controls to ensure they are operating as intended. (p. 5)
Consequences of Not Taking Action
When automated controls are not reviewed and do not function properly, errors in the verification process and account management may occur, leading to users maintaining verified accounts longer than they should or accounts not being deactivated when unused. This can lead to increased risk of identity theft as these dormant accounts can be exploited, ultimately eroding trust in the service. (p. 5)
Recommendation
We recommend that the Department of Technology and Innovation strengthen its data encryption controls. (p. 5)
Consequences of Not Taking Action
Storing information without encryption or using weak encryption methods increases the impact of data breaches and unauthorized access to information. (p. 5)
Authentication (p. 6)
Key findings
- The department effectively manages login credentials and mitigates authenticator threats through its controls. (p.6)
Safely Sharing User Data and Establishing Trust Relationships (p.6)
Key findings
The department:
- uses secure protocols to protect user data exchanged with programs (p. 7)
- has ineffective onboarding and governance processes (p. 7)
Recommendation
We recommend that the Department of Technology and Innovation improve program onboarding and governance practices by ensuring completion and formal review of onboarding documents, developing a risk assessment process for service integration, and defining roles and responsibilities. (p. 9)
Consequences of Not Taking Action
Inadequate vetting of programs may lead to greater security vulnerabilities and reduced functionality among systems, reducing both program and user experience. It can also undermine trust in the service and lead to a lack of accountability when issues arise. (p. 9)
Monitoring (p. 9)
Key findings
The department:
- generates audit logs of identity-related events (p. 9)
- does not comprehensively monitor some systems (p. 10)
Recommendation
We recommend that the Department of Technology and Innovation enhance monitoring practices for all Alberta.ca Account systems. (p. 10)
Consequences of Not Taking Action
Cybersecurity incidents and system errors may go undetected for a long time. This could expose confidential data and cause system failures, making Alberta.ca Account and government programs and services that use it unavailable. (p. 10)