A security researcher has revealed details of a massive data breach that left the vaccination records of one million people in Ireland exposed.
Aaron Costello, principal security engineer at AppOmni, discovered the vulnerability in the Covid-19 vaccination portal managed by the Irish Health Service Executive (HSE) in December 2021.
Since the discovery, he has not been able to agree to a disclosure process, but has decided to publish it now.
The data exposed by the vulnerability included the full names of vaccine recipients, their vaccination status and type received, and more. The breach also compromised HSE documents containing information about internal IT issues and processes, along with documents belonging to staff members.
The vulnerability arose from the vaccination portal, developed by the HSE with Salesforce Health Cloud, granting excessive permissions to registered users, allowing any individual to register on the portal through a self-registration form.
All registered users were assigned a specific profile, which allowed them to perform actions using the vaccination portal user interface, such as registering for a vaccination or viewing personal details of their vaccination appointment.
All of this information was stored in various data tables within the Salesforce Health Cloud application.
“Unfortunately, the people who had configured the profile's permissions had accidentally given it an unprecedented level of access to the Health Cloud object that is responsible for storing information specifically about vaccine administration,” Costello said.
“Furthermore, the same profile had accidentally been granted read access to a folder containing internal HSE documents. Because of this, anyone who had registered on the portal could have downloaded and distributed sensitive information.”
A malicious user, Costello revealed, would have been able to access the data by registering in the vaccination portal and would have been automatically assigned the Salesforce profile with excessive privileges.
Through the API, they could view all objects within the Salesforce platform, including those belonging to the Health Cloud application, cycle through the list of available objects, and attempt to access the data they contain, thousands of rows of data at a time. .
The HSE acted quickly to investigate and it does not appear that the data was accessed.
“We can recognize that this vaccination portal was implemented during a particularly chaotic period when many governments around the world were struggling to provide a single, simplified vaccination management solution for their citizens,” Costello said.
The vulnerability was discovered just months after a major ransomware attack on the HSE. The personal data of more than 100,000 patients was hacked in what Minister of State for Public Procurement and eGovernment Ossian Smyth described as “possibly the most significant cyber attack against the Irish State”.
All HSE IT systems across the country were shut down and months of disruption followed; It is estimated that the incident cost more than 100 million euros.