Two years ago, the Irish government patched a vulnerability in its national COVID-19 vaccination portal that exposed the vaccination records of around one million residents. However, details about the vulnerability were not revealed until this week, after efforts to coordinate a public disclosure with the government agency stopped and ended.
Security researcher Aaron Costello said he discovered the vulnerability in the COVID-19 vaccination portal operated by the Irish Health Service Executive (HSE) in December 2021, a year after mass vaccinations against COVID-19 began in Ireland.
Costello, who has deep expertise in securing Salesforce systems;he now works as a principal security engineer at AppOmni, a security startup with a commercial interest in cloud security.
In a blog post shared with TechCrunch ahead of publication, Costello said the vulnerability in the vaccination portal – based on Salesforce’s health cloud – meant that any member of the public signing up to the HSE vaccination portal could have access to the health information of another registered user.
Costello said vaccination records for over a million Irish residents were accessible to anyone, including names, vaccination details (including reasons for giving or refusing vaccinations) and type of vaccination, among other types of data. It also found that internal HSE documents were accessible to any user through the portal.
“Fortunately, the ability to view vaccination administration data was not readily apparent to regular users who were using the portal properly,” Costello wrote.
The good news is that no one other than Costello discovered the bug, and the HSE has kept detailed access logs showing that “there was no unauthorized access or viewing of this data,” according to a statement provided to TechCrunch.
“We patched the misconfiguration the day we were notified,” HSE spokeswoman Elizabeth Fraser said in a statement to TechCrunch when asked about the vulnerability.
“The data accessed by this individual was insufficient to identify any individual without exposing additional data fields and, in the circumstances, it was determined that a Personal Data Breach report to the Data Protection Commission was not required,” the HSE spokesman said.
Ireland is subject to strict data protection laws under the European Union’s GDPR regulation, which governs data protection and privacy rights across the EU.
Costello’s public disclosure marks more than two years since the vulnerability was first reported. His blog post included a multi-year timeline that revealed a back-and-forth between various government agencies that were unwilling to commit to public disclosure. He was eventually told that the government would not publicly disclose the bug as if it never existed.
Organizations are not required, even under the GDPR, to disclose vulnerabilities that have not resulted in mass theft or access to sensitive data and that do not fall within the legal requirements of an actual data breach. That said, security is often built from the knowledge of others, especially those who have experienced security incidents themselves. Sharing this knowledge could help prevent similar exposures to other organizations that would otherwise be unaware. This is why security researchers tend to lean towards public disclosure to prevent the mistakes of the past from being repeated.
