Telemadrid has denounced to the National Police the cybersecurity failure of the Ministry of Health of the Community of Madrid that exposed the private data of thousands of people, including the President of the Government, Pedro Sánchez, and has presented evidence such as browser captures web links, as reported by the public network this Thursday.
The portal enabled by the Community of Madrid to obtain the COVID digital certificate, launched on June 7, allowed any user to access the personal data of thousands of citizens. A programming error made it possible that when entering a DNI number in the url of the system, it would return the full name of the person to whom that DNI belongs, their address, their mobile phone and the landline.
Among the evidence that Telemadrid has provided to the National Police is information, web links and browser snapshots with examples of private data of citizens. Among them, screenshots with personal data of King Felipe VI or the President of the Government; and an explanatory video of how the web could be accessed and what parameters had to be changed to access the personal data of the DNI holder, as well as the vaccination health data.
After presenting the complaint to the National Police, Telemadrid will inform the Madrid Prosecutor’s Office of the facts so that it can investigate how long “the data leak could be in force”, as explained by the regional media.
The Community of Madrid has recognized the existence of the breach and blocked access to the COVID certificate portal during the afternoon of this Wednesday. Sources from the Ministry of Health have explained to elDiario.es that “the incident has been caused by the upload of an update that passed the test protocols and that in the start-up process generated a gap”. Despite this, the Community of Madrid published a tweet in which it described the news as “hoax”.
The gap “has been solved in hours after being detected by quality services,” according to Health sources. However, elDiario.es has evidence that the Community of Madrid was warned by cybersecurity experts of the dangerous situation that was causing its COVID certificate system.