Exploit: Misconfiguration
New South Wales Department of Customer Service: Regional Government Agency
Risk to Business: 1.211 = Extreme
A real data exposure mess has brewed in New South Wales, Australia thanks to a government-run QR code-based COVID-19 check-in program. The COVID Safe Businesses and Organizations dataset was discovered loose on the internet and it included data for sensitive sites and organizations alongside data about run-of-the-mill companies. Some of the sensitive data posted gave details about the physical facilities and locations of prisons, critical infrastructure networks including power stations and tunnel entry sites as well as dozens of shelters and crisis accommodation centers. Even national security-related locations were exposed. In this program, businesses and organizations registered as COVID-safe to access a QR code for staff and customers to check-in at their physical locations. The program has been discontinued.
No information about consumer/employee PII, PHI, or financial data exposure was available at press time.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business Information is gold on the dark web. The locations of sensitive infrastructure targets will be circulating quickly and could easily fall into the wrong hands.
Source: smh