A bug in an Irish government website that exposed COVID-19 vaccination records took two years to publicly disclose
Two years ago, the Irish government fixed a vulnerability in its national COVID-19 vaccination portal that exposed the vaccination records of around a million residents. But details of the vulnerability weren’t revealed until this week after attempts to coordinate public disclosure with the government agency stalled and ended.
Security researcher Aaron Costello said he discovered the vulnerability in the COVID-19 vaccination portal run by the Irish Health Service Executive (HSE) in December 2021, a year after mass vaccinations against COVID-19 began in Ireland.
Costello, who has deep expertise in securing Salesforce systems, now works as a principal security engineer at AppOmni, a security startup with a commercial interest in securing cloud systems.
In a blog post shared with TechCrunch ahead of its publication, Costello said the vulnerability in the vaccination portal — built on Salesforce’s health cloud — meant that any member of the public registering with the HSE vaccination portal could have accessed the health information of another registered user.
Costello said the vaccine administration records of over a million Irish residents were accessible to anyone else, including full names, vaccination details (including reasons for administering or refusals to take vaccines), and the type of vaccination, among other types of data. He also found internal HSE documents were accessible to any user through the portal.
“Thankfully, the ability to see everyone’s vaccination administration details was not immediately obvious to regular users who were using the portal as intended,” Costello wrote.
The good news is that nobody other than Costello discovered the bug, and the HSE kept detailed access logs that show there was “no unauthorised accessing or viewing of this data,” per a statement given to TechCrunch.
“We remediated the misconfiguration on the day we were alerted to it,” said HSE spokesperson Elizabeth Fraser in a statement to TechCrunch when asked about the vulnerability.
“The data accessed by this individual was insufficient to identify any person without additional data fields being exposed and, in these circumstances, it was determined that a Personal Data Breach report to the Data Protection Commission was not required,” said the HSE spokesperson.
Ireland is subject to strict data protection laws under the European Union’s GDPR regulation, which governs data protection and privacy rights across the EU.
Costello’s public disclosure marks more than two years since first reporting the vulnerability. His blog post included a multi-year timeline revealing a back-and-forth between various government departments that were unwilling to take claim to public disclosure. He was ultimately told that the government would not publicly disclose the bug as though it never existed.
Organizations are not obligated, even under GDPR, to disclose vulnerabilities that have not resulted in a mass theft or access of sensitive data and that fall outside of the legal requirements of an actual data breach. That said, security is often built off the knowledge of others, especially those who have experienced security incidents themselves. Sharing that knowledge could help prevent similar exposures at other organizations that might otherwise go unaware. This is why security researchers tend to lean toward public disclosure to prevent a repeat of mistakes from yesteryear.