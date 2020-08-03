Special By By Tim Sandle 1 hour ago in Health Argentina's health officials have apparently exposed personal medical data relating to some 115,000 COVID-19 quarantine exemption applicants, in what represents a major health sector data breach. It also follows that In this context, a data breach has occurred in Argentina in relation to the coronavirus. An Elasticsearch database containing personal information The data included names, national ID numbers, tax ID numbers, and other information about applicants. Essential workers in Argentina can apply for these permits to be exempt from certain COVID-19 quarantine restrictions. Based on the evidence at hand, researchers believe the data belongs to the San Juan, Argentina government and the country’s Ministry of Public Health. Commentating on the data incident for Digital Journal is Chris DeRamus, VP of Technology, Cloud Security Practice, Rapid7. DeRamus begins by explaining that although assessing populations for COVID-19 is important, there are important data security issues that need to be taken account of. DeRamus says: "COVID-19 tracing apps and databases have been a major cause for concern among privacy groups, and this latest data leak will certainly add fuel to the fire. More than 115,000 essential workers in Argentina now have to worry that the personal information they entrusted to their government will be used against them by nefarious actors. The personally identifiable information exposed in the unprotected cloud database includes names, national ID numbers, tax ID numbers, phone numbers, email addresses, and other information. " This is not all, however. DeRamus says: "Worse yet, security researchers demonstrated that the information exposed could be used to access individuals’ circulation permits, which contain even more sensitive data such as name, address, and phone number of their employer. This is more than enough information for bad actors to commit tax fraud, identity theft, or any number of other scams. This data breach could have easily been prevented if simple, preventive measures had been implemented." As to why there are a number of weaknesses around COVID-19 data, DeRamus attributes this to the pace of the responses: "Many government agencies and other organizations have had to scramble to provide needed services and relief in response to the pandemic, and this has led to IT infrastructure built hastily and without the proper security and compliance measures taken into account. The most effective way to ensure and maintain a secure database is through a shift-left approach." However there is time to drive improvements, says DeRamus: "By integrating security into the development process rather than after creation, organizations can improve developer productivity and prevent security and compliance risks before it’s too late. Organizations can make this shift by integrating cloud security into the CI/CD process and evaluating Infrastructure as Code (IaC) templates before a build for the same security and compliance issues that the organization now evaluates at runtime. This proactive approach not only ensures sensitive data is kept out of the wrong hands, but also allows for quicker deployment of needed services." The novel coronavirus pandemic has resulted in more data being collected by national governments about their citizens and people seeking to enter the country. Organizations can make this shift by integrating cloud security into the CI/CD process and evaluating Infrastructure as Code (IaC) templates before a build for the same security and compliance issues that the organization now evaluates at runtime. This proactive approach not only ensures sensitive data is kept out of the wrong hands, but also allows for quicker deployment of needed services."