Two years ago, the Irish government fixed a vulnerability in the country's coronavirus vaccination portal that exposed the vaccination records of around 1 million residents. However, details of the vulnerability were not disclosed until this week after public coordination attempts with government agencies ended in a deadlock.
Security researcher Aaron Costello was interviewed by the Irish Health Service Executive (HSE) in December 2021, one year after mass vaccination against coronavirus disease (COVID-19) began in Ireland. The company said it had discovered a vulnerability in its new coronavirus vaccination portal.
Costello, who has deep expertise in securing Salesforce systems, currently works as a principal security engineer at AppOmni, a security startup with commercial interests in securing cloud systems.
In a blog post shared with TechCrunch ahead of publication, Mr Costello said a vulnerability in the vaccination portal built on Salesforce's health cloud could cause members of the public registered on the HSE vaccination portal to It said it could potentially access the health information of registered users. .
Mr Costello said the vaccine administration records for more than one million Irish residents included data such as name, vaccination details (including reasons for administering or refusing the vaccine), type of vaccination, and other information. He said that people can also access it. We also discovered that the HSE's internal documents were accessible to any user through the portal.
“Thankfully, the ability to see details of everyone's vaccination administration was not immediately obvious to regular users using the portal as intended,” Costello wrote.
The good news is that no one other than Costello discovered the bug, and a statement given to TechCrunch says the HSE has provided detailed information showing that “there was no unauthorized access or viewing of this data.” Access logs were kept.
“We fixed the misconfiguration the same day we were alerted,” HSE spokesperson Elizabeth Fraser said in a statement to TechCrunch when asked about the vulnerability.
“We consider that the data accessed by this individual is not sufficient to identify him unless additional data fields are exposed, and that in these circumstances a personal data breach report to the Data Protection Commission is not necessary. ” said an HSE spokesperson.
Ireland is subject to strict data protection laws under the European Union's GDPR regulations, which govern data protection and privacy rights across the EU.
The public release of Costello marks more than two years since the vulnerability was first reported. His blog post included a multi-year timeline revealing interactions between various government departments that have been reluctant to make public requests. He was ultimately told that the government would not publicize this bug as if it did not exist.
Organizations are not obligated, even under the GDPR, to disclose vulnerabilities that do not result in mass theft or access to sensitive data and do not meet the legal requirements for an actual data breach. That being said, security is often built on the knowledge of others, especially those who have experienced security incidents themselves. Sharing that knowledge could help other organizations avoid being exposed to similar risks that go unnoticed, and why security researchers tend to lean toward public disclosure to prevent a repeat of past mistakes. I will explain what is there.