Security researcher Aaron Costello said he discovered the vulnerability of the COVID-19 vaccination portal run by the Irish Health Service (HSE) Executive in December 2021, a year after mass COVID-19 vaccinations began in Ireland.
Costello, who has extensive experience securing Salesforce systems, now works as a senior security engineer at AppOmni, a security startup interested in securing systems in the cloud.
In a blog post shared with TechCrunch ahead of publication, Costello said the vulnerability in the vaccination portal, built on Salesforce’s fitness cloud, meant that any member of the public who registered on the HSE vaccination portal could have accessed the registered user’s fitness information. .
Costello said vaccine management records of more than a million Irish citizens were available to others, adding full names, main points of vaccination (adding reasons for administering or refusing to receive vaccines) and type of vaccination, among other types of data. It also discovered that HSE’s internal documents were available to any user through the portal.
“Fortunately, the ability to see the main points of everyone’s vaccine management was not apparent to normal users who accessed the portal as intended,” Costello wrote.
The good news is that no one other than Costello discovered the bug, and the HSE kept detailed access logs showing that “there was no unauthorized access or viewing of this data,” according to a TechCrunch report.
“We respected the misconfiguration on the day we were alerted,” HSE spokeswoman Elizabeth Fraser said in a message to TechCrunch, when asked about the vulnerability.
“The knowledge seen through this individual was inadequate to identify an individual without further fields of knowledge being exposed and, in those circumstances, we decided that a non-public knowledge breach report to the Data Protection Commission was not necessary,” the HSE spokesperson said.
Ireland is subject to strict data coverage legislation under the European Union’s GDPR regulation, which governs data coverage and privacy rights in the EU.
Costello’s public disclosure marks more than two years since the vulnerability was first reported. His blog post included a multi-year timeline that revealed the ups and downs between government departments that were unwilling to claim public disclosure. He was eventually told that the government would not publicly disclose the mistake as if it had never existed.
Organizations are not obligated, even under the GDPR, to disclose vulnerabilities that have not resulted in major theft or access to sensitive data and do not fall within the legal requirements of a true data breach. That said, security relies on the wisdom of others, especially those who have experienced security incidents themselves. Sharing this wisdom can help you avoid similar exposures in other organizations that might not otherwise be aware of it. That’s why security researchers tend to favor public disclosure to avoid repeating the mistakes of yesteryear.