The COVID-19 testing platform, Coronalab.eu, has exposed a database containing 11.8 million patient records, including COVID-19 certificates, test records, passport numbers, and other sensitive details.
While the Covid-19 pandemic is slowly becoming a distant memory, the data we gave away during the outbreak is not.
Coronalab.eu, a Dutch online platform for Covid-19 testing, left a misconfigured Google Cloud Storage bucket with 1.7 million files, covering 11.7 million records on individuals from 44 countries, the Cybernews research team has revealed.
The open bucket was dubbed “prod,” suggesting that Coronalab used it to store and manage data used in their operational and production IT environments.
The team discovered the open bucket in late November, with Coronalab fixing the issue after being contacted.
We contacted the platform and its owners, medical lab Microbe & Lab, for comment about the leak but did not receive a reply before publishing this article.
What sensitive data was exposed?
Researchers claim that among the nearly 2 million exposed files, they’ve discovered 120K Covid certificates in QR code formats and 32K comma-separated values (CSV) files with over 11.7 million Covid test results.
The exposed documents cover a period from 2020 until 2022. The leak exposed a trove of sensitive and personally identifiable user data, including:
- Patients’ names
- Dates of birth
- Passport numbers
- Covid test results
- Email addresses
- Phone numbers
- Destination country if the test was taken for traveling reasons
According to the team, the majority of leaked data likely belonged to Dutch nationals, as almost 89% of total leaked phone numbers came from the Netherlands. A further 1.5% were UK-based, 1.2% were from the USA, 0.8% were from Germany, and 0.8% were from Italy.
According to the team, disclosing sensitive personal data puts individuals at risk, as leaked details can be used for various nefarious purposes, such as targeted phishing attacks, fraud, or identity theft.
“Information security principles, particularly confidentiality, are critical in healthcare. A leak of coronavirus test results indicates a breach of confidentiality, indicating a failure in safeguarding sensitive medical information,” researchers said.
Since the Netherlands is governed by European Union law, the General Data Protection Regulation (GDPR) applies to how companies handle data. Meanwhile, sharing personal information, such as an individual’s name, address, date of birth, or other contact details without consent, could be considered a GDPR violation.
To mitigate the problems and avoid similar issues in the future, the team advises to:
- Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access.
- Conduct a thorough audit of the access controls for the bucket. Review IAM (Identity and Access Management) policies and permissions assigned to users and service accounts. Make sure that the principle of least privilege is followed.
- Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
- Consider encrypting both data in transit and data at rest. Features like server-side encryption offered by Google Cloud Storage can improve the security of the data that is stored.
- Consider implementing security best practices, including regular audits, automated security checks, and employee training.
More from Cybernews:
Subscribe to our newsletter