The sector of specialists in Spanish cybersecurity is small, most of the experts in the field know each other. That is why they ask not to be identified when positioning themselves on the programming failure in the portal of the COVID certificate of the Community of Madrid that caused the personal data of thousands of citizens to be exposed this Wednesday. All the specialists consulted by this means coincide in qualifying it as “a rookie error”. “It is a very basic development failure, of a rookie at the cybersecurity level (or unaware of the implication),” one of those sources abounds.
Data Protection opens an investigation into the Madrid security breach that uncovered the king’s data
The gap allowed access to the data of any person that the Community has registered in its health system by simply entering their ID in the url. In doing so, the portal returned the raw data with the full name, address, date of birth, mobile phone number and landline. That error could be used to extract that personal data from a citizen by entering a random ID in the system … or to find out the mobile phone number of King Felipe VI.
“It is not admissible, it cannot be that giving a DNI will return everything without more,” denounces another specialist consulted by this means. “The bug seems pretty silly. Not requiring any identification to give you that data is security first,” adds a third source. “This error is stupid”, sums up a fourth expert: “When you develop whatever it is, but especially services exposed to the Internet like this website, you have to do a series of tests before moving to a production service, with a threat model “.
Despite the fact that the sources consulted agree that “it is an error that should not occur”, the Community of Madrid did not find the system cheap. It was awarded without competition to Indra on June 3 using the emergency procedure. The Madrid Health Service (Sermas) paid 224,479.2 euros, 185,520 euros once VAT was deducted, in exchange for three months of work, which include the launch of the website and its maintenance until August 16 of this year .
In the award, the regional administration led by Isabel Díaz Ayuso states that “Indra has extensive experience in the development and knowledge of Sermas information systems to provide this extraordinary service, since they have the necessary infrastructure and capacity”.
Within the cybersecurity sector, the vision of this Spanish multinational is somewhat different from that reflected by Sermas. “Indra is a monster. It has a lot of subcontractors and junior staff working under a lot of pressure,” reveals one of the cybersecurity experts consulted for this information. “Little happens,” he says. “If you saw the groups in which we talk about these things … of Indra this is just one more,” agrees a different source.
“It is not normal that what happens there does not transcend,” he laments Marcelino madrigal, the only expert consulted who has preferred to be named in this information. He worked in Indra’s information systems for 33 years, being fired during the pandemic. “They fire people over 50 years old with a lot of technical knowledge to replace them with junior positions at 14,000 euros a year, or by a subcontractor that costs them twice as much as the people who fire,” he ugly: “Yes, little is happening. loading the company in full view of all “.
As reported to elDiario.es by several people who were aware of the security breach while it was open, the total number of citizens who had their personal data exposed amounts to 11 million. This is the result of automated query tools, programmed to randomly test DNIs and store the information returned by the system when the number corresponded to a person registered in it. elDiario.es has not been able to contrast this figure and the Community of Madrid has refused to confirm it or reveal how many people it has registered in its database to obtain the COVID certificate.
The Community says tests were done
elDiario.es has contacted Indra to verify its involvement in the security hole. The multinational has acknowledged the existence of the ruling but has refused to give any explanation in this regard, deriving all communication about what happened to the spokesmen of the Community of Madrid.
Sources from the Ministry of Health have explained that “the incident has been caused by the upload of an update that passed the test protocols”, but that “in the start-up process it generated a gap”. They assure that this “was detected by the quality services” of the Community. According to the information to which this medium had access, several sources from the cybersecurity sector alerted the Ministry of Health of the failure before it turned off the entire system to obtain the COVID certificate as a precautionary measure, something that happened in the mid-afternoon of Thursday.
“In any case”, they emphasize from the Ministry of Health, “the incidence did not affect clinical data and of course it did not compromise any alteration of information in the databases”.
Taking as valid the explanation of Health that a test failed, the cybersecurity specialists consulted still do not see it clearly. “I can’t believe that it passed the tests and then in production it failed. It may be because the pre-production and testing environment is not the same as the production environment,” says one of them: “But that would be another fat shit because you don’t have the guarantee that something will work the same in test as in production. It could also have been a failure in the deployment service, which has given errors, not all the files have been copied and nobody has noticed (which should be automatic also)”.
Data Protection investigates what happened
The Spanish Agency for Data Protection (AEPD) has opened an investigation on Thursday into the security breach that affected the portal yesterday to obtain the COVID certificate of the Community of Madrid, sources from the agency have confirmed to this medium.
Indra’s involvement in the breach is relevant for the purposes of the future resolution of the AEPD, since this body cannot impose financial fines on public administrations even if it finds that there has been a abandonment of responsibilities in the protection of citizens’ personal data . On the other hand, it can do so if it finds the same faults in the actions of a private company such as Indra.
Telemadrid, which was also able to verify the existence of the breach while it was open, has presented evidence of what happened to the Police during the morning of this Thursday.