This week, the Indiana Department of Health issued a notice that the state’s COVID-19 contact-tracing system had been exposed via a cloud misconfiguration, revealing names, emails, gender, ethnicity, race and dates of birth of more than 750,000 people.
The incident shows that COVID-19 data could be poised for abuse and misuse, according to experts, which is now being collected on millions of people across the globe. The question is whether it’s being adequately protected from threat actors. And it turns out, there might be some work to be done on the security front.
Meanwhile, COVID-19 vaccine fraud is also on the rise — demonstrating that the pandemic still offers a rich vein for cybercriminals of all stripes to mine.
When it comes to the contact-tracing incident, “We believe the risk to Hoosiers whose information was accessed is low,” State Health Commissioner Kris Box, M.D., said in a statement. “We do not collect Social-Security information as a part of our contact tracing program, and no medical information was obtained. We will provide appropriate protections for anyone impacted.”
Turns out the Indiana Department of Health was half correct; the threat was low. The company that accessed the information was a cybersecurity company named UpGuard, which found a misconfigured API sitting unsecured and visible to anyone on the internet. When UpGuard alerted Indiana officials, they didn’t seem to understand that UpGuard was trying to help, not abuse their data.
Indiana Contact-Tracing Data Unsecured
In response to UpGuards’ security researchers’ report that the data was unsecured, the Indiana Department of Health said the company gained “unauthorized access” to their contact-tracing database, according to AP’s reporting. The state also claimed UpGuard “improperly accessed” the data, seeming to miss the point that UpGuard was trying to help them improve their cybersecurity posture.
“For one, our company did not `improperly access’ the data. The data was left publicly accessible on the internet,” UpGuard company spokesperson Kelly Rethmeyer said. “This is known as a data leak. It was not unauthorized because the data was configured to allow access to anonymous users and we accessed it as an anonymous user.”
The Indiana Office of Technology said later that the software configuration issue was fixed and requested UpGuard return any accessed records, which it did.
Though the issue has been fixed and the API is now secured, the apparent confusion surrounding a disclosure from a cybersecurity firm shows that local governments might not be fully aware of the risks or the tools available to help shore up cybersecurity — like being able to work with the research community effectively to mitigate reported vulnerabilities.
Nonetheless, municipalities all over the world are collecting vast amounts of data through COVID-19 contact-tracing programs, like Indiana’s, and vaccine record keeping.
“We’re in a data-breach pandemic,” UpGuard’s Rethmeyer told Threatpost.
Counterfeit COVID-19 Cards
Meanwhile, Flashpoint has also released a report detailing an uptick in cybercriminals selling counterfeit COVID-19 vaccine certificates and other COVID-19-related public-health documentation in reaction to a rise in American business requiring vaccination proof before congregating in public spaces.
Flashpoint’s report added that these fake credentials are available across several underground closed channels, like underground forums, chat rooms and more.
A cybercriminal called “Freedom” was observed by Flashpoint advertising false vaccine documentation provided with the assistance of doctors.
“Flashpoint analysts believe this advertisement was placed in an anti-COVID lockdown channel in order to target customers who are skeptical of vaccines and lockdowns in the U.S.,” the report said.
Another person called “BigDOCS” was offering letters declaring that someone tested negative for COVID-19, for $40. Another counterfeit certificate seller was offering a fake vaccine card for $100, and for $125 the recipient can receive it overnight.
Another fraudster on Telegram claimed they could produce a vaccine card for either a Pfizer or Johnson & Johnson vaccine.
Similar fraudulent documents can be bought for use across the European Union, Flashpoint added. On the underground forum Nulled, researchers found an EU vaccine certificate for sale for $450.
“The threat actor advertising the certificate mentioned that they are also a vaccine skeptic who doesn’t trust the government and doesn’t want to be forced to take the vaccine,” Flashpoint reported.
Flashpoint even found a blank CDC COVID-19 vaccine template available for free on 4chan.
“Flashpoint analysts have observed threat actors on the image board 4chan sharing CDC COVID-19 vaccine templates, which can be accessed for free through open-web sources,” the report said.
With criminals determined to skirt public health requirements for vaccines, testing and contact tracing, governments are going to have to keep up.