The novel coronavirus pandemic has resulted in more data being collected by national governments about their citizens and people seeking to enter the country. The collection and analysis of digital data is seen as necessary in order to stem the tide of the rate of infections, and to orientate health services in preparation for the expected second wave. One downside of amassing large volumes of data is the ability of those possessing the data to leak it, either inadvertently as the result of poor security protocols or as the result of an orchestrated attack.
It also follows that as governments and organizations expand and embed their remote working capabilities, the overall surface area of risk widens. It is important that data is handled correctly and stored securely. Furthermore, each use of data should be carefully considered. As with other aspects of good data protection practice, it remains good practice to record the decisions made and the rationale for them if possible.
In this context, a data breach has occurred in Argentina in relation to the coronavirus. An Elasticsearch database containing personal information of more than 115,000 Argentinians who applied for COVID-19 circulation permits was exposed on the web without a password or any other authentication required to access it.
The data included names, national ID numbers, tax ID numbers, and other information about applicants. Essential workers in Argentina can apply for these permits to be exempt from certain COVID-19 quarantine restrictions. Based on the evidence at hand, researchers believe the data belongs to the San Juan, Argentina government and the country’s Ministry of Public Health.
Commentating on the data incident for Digital Journal is Chris DeRamus, VP of Technology, Cloud Security Practice, Rapid7. DeRamus begins by explaining that although assessing populations for COVID-19 is important, there are important data security issues that need to be taken account of.
DeRamus says: “COVID-19 tracing apps and databases have been a major cause for concern among privacy groups, and this latest data leak will certainly add fuel to the fire. More than 115,000 essential workers in Argentina now have to worry that the personal information they entrusted to their government will be used against them by nefarious actors. The personally identifiable information exposed in the unprotected cloud database includes names, national ID numbers, tax ID numbers, phone numbers, email addresses, and other information. ”
This is not all, however. DeRamus says: “Worse yet, security researchers demonstrated that the information exposed could be used to access individuals’ circulation permits, which contain even more sensitive data such as name, address, and phone number of their employer. This is more than enough information for bad actors to commit tax fraud, identity theft, or any number of other scams. This data breach could have easily been prevented if simple, preventive measures had been implemented.”
As to why there are a number of weaknesses around COVID-19 data, DeRamus attributes this to the pace of the responses: “Many government agencies and other organizations have had to scramble to provide needed services and relief in response to the pandemic, and this has led to IT infrastructure built hastily and without the proper security and compliance measures taken into account. The most effective way to ensure and maintain a secure database is through a shift-left approach.”
However there is time to drive improvements, says DeRamus: “By integrating security into the development process rather than after creation, organizations can improve developer productivity and prevent security and compliance risks before it’s too late. Organizations can make this shift by integrating cloud security into the CI/CD process and evaluating Infrastructure as Code (IaC) templates before a build for the same security and compliance issues that the organization now evaluates at runtime. This proactive approach not only ensures sensitive data is kept out of the wrong hands, but also allows for quicker deployment of needed services.”