A security breach in the self-appointment page to receive the Generalitat de Catalunya coronavirus vaccine has exposed personal data of citizens registered in the system. The Department of Health closed the hole this weekend, which revealed the name, ID and information regarding the appointment for the vaccine of each citizen, as confirmed by this Administration to elDiario.es. The gap has not compromised any type of clinical information, they emphasize: “This website only contains the specific information about the vaccination process.”
Madrid paid 225,000 euros to Indra for the system that leaked personal data due to a “rookie” error
“The recommendations of the Agència Ciberseguretat de Catalunya were applied immediately to reinforce the security of this application”, explain the same sources. “This vulnerability has also been corrected by the IT company applying the actions indicated by the Agency”, they add.
This media received the notice of the existence of the breach through a group of ethical hackers calling themselves “Team Rocket”, which also reported it to the Generalitat and various state cybersecurity organizations. At the same time, the technical team of the Department of Health detected that the self-citation website was receiving “unusual requests for information.” “Given the visibility and significance of the web, a continuous monitoring is done. During these monitoring actions, access requests were identified by third parties outside the defined flow and which have been analyzed”, explain the same sources .
The aforementioned group of ethical hackers assures elDiario.es that they are the authors of this series of abnormal requests, sent as an alternative method to draw the attention of the Generalitat to the situation. “We have acted in the realization of massive requests, which is what has set off the alarms,” they explain: “We believe that it is important that citizens know about it. They have not realized the requests that we made initially and they are the ones that have us allowed access to all information “, they say.
At the moment, the Generalitat has no evidence that the security breach has been exploited by third parties to access citizen data beyond that testing carried out by ethical hackers. “The incident is being analyzed with the Ciberseguretat Agency. The data has been exposed, but we have no evidence of its usurpation,” they confirm from the Department.
“As the next steps, what the causes have been and what improvements and controls must be incorporated into the protocols to minimize computer security risks is being explored with the different providers,” they add. The Generalitat has already communicated the security hole to the Catalan Data Protection Authority.
Avalanche of gaps in COVID tools
The security breach suffered by the Catalan health service joins the two accumulated by the Ministry of Health of the Community of Madrid in its digital tools to manage the COVID-19 pandemic. The regional administration led by Isabel Díaz Ayuso had two programming failures that exposed personal data of citizens, one in the self-citation system for the vaccine and another in the COVID certificate portal.
The first took place on the self-appointment website to receive the vaccine. The portal revealed the full name, ID, telephone number, date of birth and health identification codes of the people registered in the Madrid health system. The portal was launched on May 24 and the Community of Madrid closed the gap on June 10, after receiving notice of its existence from elDiario.es. This medium waited several days for confirmation that the data was no longer accessible before publishing the information.
The second vulnerability affected the service to obtain the COVID certificate and was potentially more serious. To exploit it, you only had to enter a person’s ID in the url of the portal so that it returned their personal data (name, telephone number, address, date of birth) in the form of a raw code. The error exposed information from millions of anonymous citizens but also from relevant people such as King Felipe VI or President Pedro Sánchez, whose DNI numbers are public. Madrid paid 225,000 euros to the multinational Indra for this website.
The Spanish Agency for Data Protection is investigating both incidents, sources from the agency confirmed to this medium. Telemadrid, which also had access to citizens’ data through the second breach, has made those files available to the Police.