According to joint research by “ORF concrete” and the data protection NGO “epicenter.works”, an authorized pharmacy not only had access to the tests it had carried out, but to the entire data of all tests of the past seven days.
This gap made it possible to call up the name, address, social security number, telephone number, e-mail and corona test result of potentially hundreds of thousands of people throughout Austria. According to Thomas Lohninger, managing director of “epicenter.works”, there were several million data records.
Web developer discovered data leak and got fired
The security gap was discovered by a web developer commissioned by the said pharmacy, who immediately documented it and contacted the Ministry of Health and the ORF with a request for urgent repairs. According to data protection officials, the programmer was initially ignored, only when the ORF asked, there was a reaction. The pharmacy was excluded from “oesterreich-testet.at”, whereupon it ended the employment relationship with the web developer.
The Ministry of Health initially denied that there was a security gap and spoke of an “unlawful use of internal documentation systems” by an individual pharmacy, according to “epicenter.works”. The ministry argued the same in a statement on Thursday. The pharmacies are “sole data protection officers” within the framework of the tests, and the Ministry of Health is not responsible. In addition, the ministry noted that pharmacies, like resident doctors, “are subject to a statutory duty of care and professional secrecy”.
“Adjustments made”
Together with the Chamber of Pharmacists, the internal system of individual pharmacies has been optimized and the error addressed has been corrected, it said: “In the past few weeks, appropriate adjustments have been made to protect the internal documentation systems even better against any illegal use of individual test sites.”
Lohninger sharply criticized the approach. Instead of being grateful to the discoverer of the vulnerability, the Ministry of Health made sure that he lost his job. The web developer behaved “absolutely right”. He documented the vulnerability and informed those responsible, although knowing about it could have been worth a lot of money. In addition to exploiting the vulnerability for identity theft, data trading or blackmail, knowledge of the vulnerability itself could have been sold.
187,000 euros monthly costs
Health Minister Wolfgang Mückstein (Greens) should apologize to the programmer and increase the IT competence in his house “as soon as possible”, demanded Lohninger. The site is operated by World Direct, a wholly owned subsidiary of A1.
The creation of this booking system for Covid-19 tests cost half a million euros and the Ministry of Health charges an impressive 187,000 euros per month for its operation, as can be seen from a parliamentary inquiry by ex-Health Minister Rudolf Anschober (Greens) to NEOS around a year ago . In view of this lucrative state contract, it seems incomprehensible why the A1 system was not subjected to a security check (penetration test), according to Lohninger.
Source: Nachrichten
