Photo: alberta.ca

By Jordan Rein

Over 3.7 million accounts

Auditor General: Improvements needed to strengthen management of Alberta.ca Accounts

Jul 10, 2024 | 3:27 PM

By: Office of the Auditor General

A new report released today by the Auditor General of Alberta found that while the government has processes to manage users and provide secure access to its online Alberta.ca Account, not all processes were effective and can be improved.

“There are over 3.7 million personal and approximately 75,000 business Alberta.ca Accounts that can access 70 government online programs, services, and products using a single username and password,” said Auditor General Doug Wylie. “Albertans should be confident that the department keeps their information safe and secure when they access government online programs through their Alberta.ca account,” said Wylie.

The Auditor General report found that the Department of Technology and Innovation (responsible for the Alberta.ca Account):

• had automated controls for identity proofing and account management that sometimes failed, and the department didn’t detect the control failures
• should strengthen its encryption controls
• had effective processes to authenticate users and manage credentials
• had ineffective processes for adding programs and setting and enforcing governance standards
• does not comprehensively monitor all systems supporting the Alberta.ca Account

January 2024 Incident

Preliminary hearing scheduled for man accused in Sundre homicide

9h ago

PARTNERING WITH CASASC

Red Deer Queer Community Association partnership aims to address rising violence and improve services

9h ago

2023 Investigation

Sentencing scheduled for pair charged in Red Deer drug trafficking investigation

10h ago

The Auditor General made four recommendations for the department to test automated controls; strengthen data encryption controls; improve program onboarding and governance practices; and enhance monitoring of systems.

“Cybersecurity incidents and systems errors could expose confidential data and cause system failures, making the Alberta.ca Account and the government programs and services that use it unavailable,” said Wylie. “We have identified areas where controls can be improved to better safeguard and manage user information and systems in an environment where access to online services continues to grow.”

Alberta.ca Account (formerly known as My Alberta Digital ID) is a digital account managed by the Department of Technology and Innovation.

Officials say since 2015, Alberta.ca Account (Personal or Business) lets users register and manage their personal or business accounts. In 2017, the department introduced a process for users of personal accounts to verify their information, including name, mailing address, date of birth, and gender, by cross-referencing it with data from Alberta’s Motor Vehicle System.

Summary of Report Findings 

The department:

• uses automated processes to consistently enroll users and obtain their consent (p. 4)
• transmits identity information from Motor Vehicle System to Alberta.ca Account securely (p. 4)
• had automated controls for identity proofing and account management that sometimes failed, and the department didn’t detect the control failures (p. 5)
• should strengthen its controls to encrypt some of its data (p. 5)

Recommendation

We recommend that the Department of Technology and Innovation periodically test its automated controls to ensure they are operating as intended. (p. 5)

Consequences of Not Taking Action

When automated controls are not reviewed and do not function properly, errors in the verification process and account management may occur, leading to users maintaining verified accounts longer than they should or accounts not being deactivated when unused. This can lead to increased risk of identity theft as these dormant accounts can be exploited, ultimately eroding trust in the service. (p. 5)

Recommendation

We recommend that the Department of Technology and Innovation strengthen its data encryption controls. (p. 5)

Consequences of Not Taking Action

Storing information without encryption or using weak encryption methods increases the impact of data breaches and unauthorized access to information. (p. 5)

Authentication (p. 6)

Key findings

• The department effectively manages login credentials and mitigates authenticator threats through its controls. (p.6)

Safely Sharing User Data and Establishing Trust Relationships (p.6)

Key findings

The department:

• uses secure protocols to protect user data exchanged with programs (p. 7)
• has ineffective onboarding and governance processes (p. 7)

Recommendation

We recommend that the Department of Technology and Innovation improve program onboarding and governance practices by ensuring completion and formal review of onboarding documents, developing a risk assessment process for service integration, and defining roles and responsibilities. (p. 9)

Consequences of Not Taking Action

Inadequate vetting of programs may lead to greater security vulnerabilities and reduced functionality among systems, reducing both program and user experience. It can also undermine trust in the service and lead to a lack of accountability when issues arise. (p. 9)

Monitoring (p. 9)

Key findings

The department:

• generates audit logs of identity-related events (p. 9)
• does not comprehensively monitor some systems (p. 10)

Recommendation

We recommend that the Department of Technology and Innovation enhance monitoring practices for all Alberta.ca Account systems. (p. 10)

Consequences of Not Taking Action

Cybersecurity incidents and system errors may go undetected for a long time. This could expose confidential data and cause system failures, making Alberta.ca Account and government programs and services that use it unavailable. (p. 10)

The entire report is available online at oag.ab.ca.

Nate Glubish, Minister of Technology and Innovation, released a statement Wednesday responding to the AG’s report:

“Alberta aims to be the most innovative jurisdiction in Canada; we have steadily been upgrading our technology systems to deliver better, faster, and smarter services to Albertans. We agree with the recommendations from the Auditor General and have already taken steps to ensure that we meet or exceed their recommendations.”