COVID-19 vaccination records of around a million Irish residents were exposed due to a bug in the Irish government's website
Surprisingly, it took two whole years for this vulnerability to be publicly disclosed. The vulnerability was discovered by security researcher Aaron Costello in December 2021, a year after Ireland began its mass COVID-19 vaccination campaign. Costello, who specialises in securing Salesforce systems, found that the vaccination portal run by the Irish Health Service Executive (HSE) had a flaw that allowed any member of the public to access the health information of other registered users.
This meant that personal information such as full names, vaccination details, and even internal HSE documents were accessible to anyone using the portal. However, regular users were not immediately aware of this issue.
Fortunately, Costello was the only one who discovered the bug, and the HSE confirmed that there was no unauthorized access or viewing of the exposed data. The HSE rectified the misconfiguration as soon as they were alerted to it. Despite the seriousness of the vulnerability and the strict data protection laws in Ireland, the government took more than two years to publicly disclose the bug.
Various government departments were hesitant to take responsibility for the disclosure, ultimately leading to the decision not to disclose it at all. While organizations are not legally obligated to disclose vulnerabilities that haven't resulted in a data breach, sharing knowledge about such incidents can help prevent similar exposures in the future.
Security researchers like Costello advocate for public disclosure to ensure that mistakes are not repeated.