A leak at a test company allowed anyone tech-savvy enough to create fake travel and access tickets in the CoronaCheck app. In addition, the leak allowed hackers and cybercriminals to access the private and personal data of 60,000 Dutch citizens. As a precaution, all test sites were closed and the website was taken offline. The Ministry of Health, Welfare and Sport disconnected the testing company from its systems. The Autoriteit Persoonsgegevens has been informed of the data breach and is going to ask the ministry for clarification. This is according to an investigation by RTL News.
The company in question is Testcoronanu. The company, with 10 testing locations in the Netherlands and three in Belgium, is affiliated with the Testenvoorjereis.nl initiative. Dutch people going on vacation in Europe or abroad this summer must show that they have been fully vaccinated, have a negative PCR test result or have recently had corona (antigen test). Without one of these three proofs, you won't enter the country. Many Dutch people have taken a corona test at Testcoronanu.
The leak was childishly easy to exploit. All you had to do was enter two lines of code into your web browser. You enter the required information and in gets a valid vaccination certificate in the CoronaCheck app, without having actually been vaccinated or tested, or recently recovered from corona.
Adjusting a test result is not only life-threatening for public health: after all, the coronavirus is not given any obstacle and can spread uninhibitedly. It also undermines confidence in the application the Rijksoverheid government has commissioned. Professor of microbiology at the University Medical Center Groningen Bert Niesters calls CoronaCheck "worthless" to RTL News.
"Any form of reliability is now completely gone. There was already no proper control at the door with this app, and now that infections are also skyrocketing due to the Delta variant, it is totally irresponsible to continue using this app for events where there can't be a meter and a half. This app is basically worthless."
The leak not only allowed you to modify data to your own advantage. It also gave access to the private and personal data of more than 60,000 Dutch citizens. RTL News says it accessed full names, residential addresses, e-mail addresses, phone numbers, citizen service numbers (BSN), passport numbers and medical data. Hackers and cyber criminals constantly prey on this kind of data. The more data they possess, the more credible they appear when they try to con unsuspecting victims. They use this data for phishing and to commit identity fraud.
Professor of ICT & Law at Radboud University Nijmegen Frederik Zuiderveen Borgesius therefore calls the data breach "very shocking. "It doesn't get much more sensitive than this. This is precisely what medical privacy is for: that people dare to get tested because they have to be able to trust that their data are safe. You notice that this is not yet sufficiently alive among parties who have recently entered the testing industry en masse, and that is why things are going so wrong now."
The leak occurred because access to Testcoronanu's database was wide open. The company was using Google's database system Firestore. Normally, this environment is protected so that not everyone with an Internet connection can access it. That was not the case here. RTL managed to modify its own data and get a negative test proof. Through the CoronaCheck app, this was converted into a valid QR code with green-colored background.
That anyone with an Internet connection could snoop around and make changes to Testcoronanu's database is "one of the biggest mistakes you can make," according to Dave Maasland of cybersecurity firm ESET. "You start to wonder: who else has abused it this way?"
The Ministry of Health, Welfare and Sport says to RTL News that it has "no signals" that others have had access to the data in the database. "In addition to plugging the leak by the provider, we have immediately put our efforts into finding a solution for travelers whose test cannot go ahead now or who are still waiting for a test result," a spokesperson reveals.
The Autoriteit Persoonsgegevens called the data breach "very serious. The company is not allowed to get back to work and process personal data until it can guarantee security and reliability. The regulator is going to ask the Ministry of Health for clarification. One of the things the privacy watchdog wants to know is how Testcoronanu was able to become an official partner of the government. "People should be able to assume that the government is handling this properly and securely," a spokesman said.
Testcoronanu closed all test sites as a precaution when it got wind of the leak. The website to make a test appointment was taken offline to plug the leak. The company promises to notify all those affected about the data breach today. Anyone who had an appointment scheduled with Testcoronanu is asked to make a new appointment with another provider through the site Testenvoorjereis.nl.
Update: Test coronanu goes wrong again. Anyone who had an appointment for a coron test today received an e-mail saying the appointment could not go ahead due to the leak. But instead of putting the e-mail addresses in the bcc line, they were copied to the cc line, tech journalist Daniel Verlaan reported on Twitter. This made the email addresses visible to everyone. This gave Testcoronanu two data breaches within 24 hours.
A spokesperson for the Ministry of Health, Welfare and Sport tells RTL News that everything was in order at the company, which is why it was admitted to the government's testing system. "A proper pen test should have revealed this vulnerability. We will investigate how this vulnerability could nevertheless have existed at the provider. If necessary, CoronaCheck's connection requirements will be tightened," the spokesperson said.
He says that following reports of Testcoronanu, the ministry checked to see if a similar vulnerability was in the system at other providers. That turned out not to be the case.
