A security researcher recently revealed that a bug in an Irish government website compromised sensitive COVID-19 vaccination records for nearly a million residents. The vulnerability, which was discovered in December 2021, took two years to be publicly disclosed due to delays in coordinating with the government agency responsible for the site.
The researcher, Aaron Costello, who specializes in securing Salesforce systems, discovered the flaw in the COVID-19 vaccination portal operated by the Irish Health Service Executive (HSE). The portal, built on Salesforce’s health cloud, allowed any member of the public to access the vaccination records of other users who had registered with the portal.
According to Costello, over a million Irish residents’ records were exposed, including their full names, vaccination details, and internal HSE documents. However, Costello noted that the bug was not immediately apparent to regular users of the site, as it required specific actions to access the sensitive information.
The HSE has confirmed that Costello was the only person to report the vulnerability and that there is no evidence of unauthorized access to the compromised data. The agency also stated that they addressed the issue on the same day it was reported, and the data accessed was not enough to identify any individuals.
Under the European Union’s GDPR regulations, Ireland is subject to strict data protection laws. However, organizations are not required to publicly disclose vulnerabilities that have not resulted in a mass theft or access of sensitive data. In this case, the HSE determined that a personal data breach report was not necessary.
Even though there is no legal obligation to disclose the bug, Costello has reached out to various government departments for over two years to coordinate a public disclosure. He was ultimately told that the government would not reveal the vulnerability to the public, claiming that it did not exist.
This incident highlights the importance of sharing knowledge and experiences in the security community to prevent similar exposures at other organizations. While organizations may not have a legal requirement to disclose vulnerabilities, public disclosure can help prevent future security incidents and protect users’ sensitive data.