A critical flaw in Ireland’s COVID-19 vaccination portal, which allowed access to personal vaccination records of about a million people, was rectified by the Irish government two years ago but only came to light recently after disclosure coordination efforts with the responsible agency broke down.
Security expert Aaron Costello found the vulnerability in December 2021 within the online COVID-19 vaccination platform managed by the Irish Health Service Executive (HSE). Mass vaccinations in Ireland had been ongoing since a year prior to his discovery.
Costello, with a strong background in safeguarding Salesforce systems enumerated. ie/index/salesforce and currently serving as a principal security engineer at AppOmni, detected a security lapse in the vaccination portal’s Salesforce health cloud construction. This lapse made it possible for users of the HSE vaccination portal to inadvertently access other users’ health data.
He found that sensitive information, such as names, details about vaccination statuses, the types of vaccines administered, and internal HSE documents, could be viewed by any portal user. Costello pointed this out in a blog post pre-shared with TechCrunch.
Costello notes the relief that no one else, aside from himself, exploited this flaw and that HSE had comprehensive access logs demonstrating no unauthorized data viewings or breaches.
The HSE acted promptly once notified, correcting the error on the same day, and declared through spokesperson Elizabeth Fraser that there was no need for a formal breach report to the Data Protection Commission since the exposed data was not enough for personal identification without additional information.
Given that Ireland falls under EU GDPR laws, which are stringent regarding data protection, such vulnerabilities are significant. More than two years later, after much communication with governmental bodies and no progress towards public disclosure, Costello released the information on his own accord.
Despite GDPR not mandating the public disclosure of vulnerabilities not causing large-scale data thefts or exposure, the security industry typically benefits from shared knowledge of vulnerabilities. Proactive sharing can bolster overall security and help avoid similar breaches elsewhere, hence why many security researchers advocate for the disclosure of such flaws.
FAQs About the Irish COVID-19 Vaccination Portal Vulnerability Disclosure
- When was the vulnerability in the Irish COVID-19 vaccination portal discovered?
Security researcher Aaron Costello discovered the vulnerability in December 2021. - What kind of data was exposed due to the vulnerability?
Personal vaccination records, including names, vaccination details, the type of vaccine, and internal documents, were accessible. - Was any unauthorized access to the vaccination records detected?
No unauthorized access to the vaccination records was detected, according to HSE’s access logs. - Did the HSE report this vulnerability to the Data Protection Commission?
No. The HSE determined that the exposure did not require reporting to the Data Protection Commission because the data accessed was not sufficient to identify individuals. - Are organizations required to disclose such vulnerabilities under GDPR?
Organizations are not required to disclose vulnerabilities under GDPR unless they result in a significant data breach.
Conclusion
The substantial delay in the disclosure of the Irish COVID-19 vaccination portal vulnerability highlights the complexities and challenges of cybersecurity within public systems. It underscores the delicate balance between rectifying security issues and informing the public, especially under stringent data protection regulations like GDPR. Despite the two-year wait and the convoluted disclosure process, the fundamental takeaway is the value of transparency in cybersecurity, which can lead to stronger security practices across organizations through shared learning and proactive prevention measures.