With the incident, ZDNet reports that the password to access a highly sensitive Ministry of Health database was stored inside a government site’s source code. This was left by the web developers in error and the password remained for over six months, waiting for hackers to stumble across it.
A wider search revealed a similar deficiency in the source code of a Brazilian government website called e-SUS-Notifica, which is a digital area where Brazilian citizens are able to sign up to receive official government notifications about the coronavirus pandemic.
In response to the Brazilian Ministry of Health’s exposed database, Digital Journal sought the opinion of security expert Robert Prigge, CEO of Jumio .
Prigge begins by setting the context for the data breach and the implications: “The exposed database containing the information of 243 million Brazilians, including full names, home addresses, phone numbers and medical details, puts the victims at risk of account takeover and other forms of fraud.”
In terms of what can potentially be done with the data, Prigge states: “Fraudsters can leverage the breached information to impersonate citizens and access any accounts set up with the exposed information, where they can lock the user out and steal benefits.”
There is more risk: “Cybercriminals can also use the exposed data of deceased citizens to create synthetic identities, which can be used to commit additional fraud.”
In terms of remediation actions, Prigge says: “As the exposure was caused by a third-party developer, it is critical government agencies and enterprises thoroughly vet their selected partners, especially those that handle and manage consumer data. Even if enterprises have battened down the hatches on their own security, their efforts become meaningless if they do not ensure their vendors have done the same.”
And in terms of robust preventative actions, Prigge offers: “While exposing personal data due to a misplaced password is a serious security lapse, passwords in general can no longer be trusted to keep data safe in today’s fraud environment. A more secure solution, biometric authentication (leveraging a person’s unique human traits to verify identity) ensures data can only be accessed by authorized users, keeping data secure and out of fraudsters’ hands.”
