A bug in an Irish government website that exposed COVID-19 vaccination records took two years to publicly disclose
Reading Time: 2 minutesThe Irish government fixed a vulnerability two years ago in its national COVID-19 vaccination portal that exposed the vaccination records of around a million residents. But details of the vulnerability weren’t revealed until this week after attempts to coordinate public disclosure with the government agency stalled and ended.
Security researcher Aaron Costello said he discovered the vulnerability in the COVID-19 vaccination portal run by the Irish Health Service Executive (HSE) in December 2021, a year after mass vaccinations against COVID-19 began in Ireland.
Costello, who has deep expertise in securing Salesforce systems, now works as a principal security engineer at AppOmni, a security startup with a commercial interest in securing cloud systems.
Costello said the vaccine administration records of over a million Irish residents were accessible to anyone else, including full names, vaccination details (including reasons for administering or refusals to take vaccines), and the type of vaccination, among other types of data. He also found internal HSE documents were accessible to any user through the portal.
‘Thankfully, the ability to see everyone’s vaccination administration details was not immediately obvious to regular users who were using the portal as intended,’ Costello wrote.
‘The data accessed by this individual was insufficient to identify any person without additional data fields being exposed and, in these circumstances, it was determined that a Personal Data Breach report to the Data Protection Commission was not required,’ said the HSE spokesperson.
Ireland is subject to strict data protection laws under the European Union’s GDPR regulation, which governs data protection and privacy rights across the EU.
Costello’s public disclosure marks more than two years since first reporting the vulnerability. His blog post included a multi-year timeline revealing a back and forth between various government departments that were unwilling to take claim to public disclosure. He was ultimately told that the government would not publicly disclose the bug as though it never existed.
Organizations are not obligated, even under GDPR, to disclose vulnerabilities that have not resulted in a mass theft or access of sensitive data and fall outside of the legal requirements of an actual data breach. That said, security is often built off the knowledge of others, especially those who have experienced security incidents themselves. Sharing that knowledge could help prevent similar exposures at other organizations who might otherwise go unaware, and why security researchers tend to lean towards public disclosure to prevent a repeat of mistakes from yesteryear.
Reference: https://techcrunch.com/2024/03/13/security-flaw-irish-government-hse-covid-19/
Ref: techcrunch
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG