Exploit: Misconfiguration
Francetest: COVID-19 Test & Trace Platform
Risk to Business: 1.721 = Severe
A misconfiguration in an online platform used to transfer data from antigen tests carried out at pharmacies to the government platform SI-DEP has made hundreds of thousands of COVID-19 test results public, along with the PII of the patients who took them. In a particularly interesting detail of this story, the misconfiguration was discovered when a patient with IT expertise discovered that the open-source content management system WordPress was being used to manage sensitive data. She could access files containing other patients’ information via the URL tree and even create an account without being a pharmacist.
Individual Risk: 1.761 = Severe
Exposed data included patients’ full names, genders, dates of birth, social security numbers, contact details (including email address, telephone number, and postal address), and test results including COVID-19 status.
Customers Impacted: 700,000
How it Could Affect Your Customers’ Business Human error is still the biggest cause of a data breach and this is one mistake that’s going to cost a fortune by the time GDPR penalties are calculated.
Source: Connexion France