[German]Serious data leak in Slovakia: The corona test results of almost 400,000 Slovaks were publicly available on the Internet. There is no need for hackers anymore if personal data is handled so carelessly.
Advertising
Deutsche Welle reports on the case in the Corona Ticker and writes there in English:
Slovakia: The personal data of about 400,000 people who were tested for the coronavirus was leaked online after a cybersecurity breach of the state public health system.
The data leaked included names, dates of birth, addresses, test results, information on disease progression and other laboratory data.
The breach has now been repaired, reported authorities.
IT specialist Pavol Luptak came across the data by chance. He writes on Twitter that the personal data of Slovaks on COVID 19 tests was found publicly.
A coronavirus app has published this personal data. The English language Slowakia Spectator reported about the data breach in Slovakia. In the Moje eZdravie app the security researchers found a trivial vulnerability, as they write in this blog post. The vulnerability allowed the security researchers to retrieve personal information about more than 390,000 patients tested for COVID-19 in Slovakia. Personal information on more than 130,000 patients was retrieved for the demonstration, and more than 1,600 of them tested positive for COVID-19.
The personal information obtained for each patient includes first and last name, birth number, date of birth, sex, cell phone number, place of residence, details of clinical symptoms (pneumonia, fever, cough, malaise, rhinitis, headache, joint and muscle pain), code samples, the date of the exact sampling, the laboratory that performed the test, the applicant's doctor, the protocol number, the date of receipt and examination, the type of test and, of course, its result.
Advertising
The vulnerability was actually trivially exploitable: any public search engine could call an API that provided the data. This way, the data of the tested patients were indexed in the search engine and could be viewed. Access to the API was in no way protected by authentication. The patient records could be retrieved by simply enumerating a numerical identifier. There were probably no mechanisms that could prevent the massive downloading of these data, and all data were retrievable in unencrypted format. The security researchers reported the vulnerability on 13 September 2020 via the official CSIRT channel, whereupon public access to the data was blocked on 16 September 2020.
