The Health Service Executive (HSE) in Ireland accidentally exposed the private information of an estimated one million citizens in December 2021, a researcher has shared. The leak happened seven months after a major ransomware attack on the same organization.
HSE is the publicly funded organization responsible for Ireland's public health and social care services. On the 14th of May, 2021, it suffered a devastating Conti ransomware attack, the biggest known attack against a health service at the time.
Soon after, an undisclosed data leak followed.
In December 2021, Aaron Costello, security researcher and principal SaaS security engineer at SaaS security vendor AppOmni, discovered a misconfiguration in HSE’s COVID Vaccination Portal, inadvertently leaking the private information of more than a million Irish citizens, including their full names, vaccination status, the type of vaccine received and more.
According to his report, the leak also compromised HSE documents containing information about internal IT issues and processes and documents belonging to staff members.
“The HSE provides public health and social care services to everyone living in Ireland. The vaccination portal, developed by the HSE with Salesforce Health Cloud, granted registered users excessive permissions,” Costello said.
This oversight allowed individuals to access the sensitive information of other registrants and internal HSE documents.
“Since all vaccinations occurring in Ireland go through the HSE, it is estimated that the private information of over a million Irish citizens was inadvertently made publicly accessible,” Costello said.
After reporting his findings to the HSE, Costello assisted the organization with fixing the misconfiguration and disclosed it to authorities.
“After investigation by the HSE, they fortunately did not find any evidence that any information was accessed by unauthorized individuals with malicious intent,” Costello said.
Neither side disclosed the incident to the public until now.
HSE confirmed the leak. However, there were no logs of anyone else accessing the data.
“Security considerations were at the forefront of the Covax deployment. However, when a system of this nature is put together under time pressure (as was the case when we established the Covid-19 vaccination campaign), misconfigurations can occur. In this case, an external source pointed out one misconfiguration, which would have required deep technical expertise to exploit. We remediated the misconfiguration on the day we were alerted to it,” an HSE representative told Cybernews.
The organization assured us they would be able to see if an outsider accessed any data as they collected and analyzed detailed logs.
“Apart from the source who informed us of this issue, there was no unauthorized accessing or viewing of this data. The data accessed by this individual was insufficient to identify any person without additional data fields being exposed, and, in these circumstances, it was determined that a Personal Data Breach report to the Data Protection Commission was not required.”
How did the leak happen?
HSE’s vaccination portal was built on top of Salesforce and allowed any individual to sign up through a self-registration form. The data was stored in various tables of data within the Salesforce Health Cloud application.
“In Salesforce nomenclature, this particular type of portal is known as a Lightning Community or Digital Community. These communities are configured to grant all registered users a specific Profile. Through the permissions granted by the profile, users can then perform actions using the vaccination portal’s user interface, such as register for a vaccination or view their own personal vaccination appointment details,” Costello explains.
He found that profiles were accidentally granted “an unprecedented level of access to the Health Cloud,” which included information about vaccination administration. Anyone could see everyone else’s vaccination administration details. Luckily, that was not immediately obvious to regular users.
“Furthermore, the same profile had accidentally been granted read access to a folder containing internal HSE documents. Because of that, sensitive information could have been downloaded and distributed by anyone who had registered to the portal,” the researcher said.
He previously demonstrated how malicious actors could retrieve unprotected data by exploiting API.
Misconfiguration allowed a potential hacker to register to the Vaccination portal, get the over-privileged profile, view all HSE data that existed within the Salesforce platform, iterate over the list of available objects, and attempt to access the data. Any successful attempt could allow access and the ability to download thousands of rows of data at a time.
“This would have allowed the malicious individual to access both internal HSE documentation and all vaccine administration records for over a million individuals,” Costello said.
He believes poor permission management was the culprit of the leak.
“This is a common problem among organizations using Salesforce, as managing object and field access alongside sharing rules can be challenging and cumbersome. For organizations that have publicly facing content on the Salesforce platform, this is the number one cause of data exposure,” the report reads.
After the issue was reported to HSE on December 16th, 2021, it was resolved on January 17th, 2022. Subsequent attempts to coordinate disclosure with the NCSC and DECC did not result in a response or agreement.
Your email address will not be published. Required fields are markedmarked