© EPA / RONALD WITTEK
Pharmacies had access to the data of all people in Austria who used the portal for corona tests.
The web developer Gökhan S. has contributed to the platform Austria is testing discovered a security vulnerability: Every pharmacy that participates in austria-testet.at, was able to retrieve the data from all Corona tests across Austria via the website’s regular API.
Affected datasets were: Name, address, social security number, phone number, email and the Corona test result . Affected people: Potentially hundreds of thousands of people throughout Austria who have registered for a corona test via österreich-testet.at in the past 7 days. That reports epicenter.works. The civil rights organization has fixed the vulnerability together with the team of ORF specific Take a closer look.
“The austria-testet.at platform worked like an ATM, where you have an ATM card and a PIN code, but could then withdraw money from any account,” explains Thomas Lohninger, Managing Director of epicenter.works. The gap is “by design”, according to Lohninger about futurezone. True to the motto: “These are trustworthy healthcare providers, they won’t do anything bad with the data.”
Thomas Lohninger has identified the vulnerability for epicenter.works viewed
© Franz Gruber, Courier
Reported immediately, canceled as a thank you
Gökhan S., who had a job as a web developer at a pharmacy, turned his discovery to the Ministry of Health. He reported the gap immediately after discovering it. It was only when ORF specifically asked the ministry that there was a reaction: the pharmacy where Gökhan S. had worked was excluded from österreich-testet.at. The pharmacy then terminated the employment relationship with Gökhan S. Update: In an earlier version of the article, a symbolic image of an APA pharmacy in Vienna could be seen. This did not show the pharmacy where Gökhan S. had worked.
Statement of the Ministry of Health
The Ministry of Health specifically stated to ORF that it was not a security gap, but a “ unlawful use of internal Documentation systems of an individual pharmacy”. The ministry also confirmed this when asked about futurezone. The pharmacy is the “sole data protection officer” in the context of tests. “The Ministry of Health is therefore not responsible,” it says. The Ministry “regrets this incident, but would like to note that pharmacies – just like doctors in private practice – are a statutory due diligence and a subject to professional secrecy . .”
However, “adjustments have been made to better protect the systems against any illegal to protect the use of individual test sites,” said futurezone. “The Ministry is of course also concerned with the security of health data, for the processing of which other bodies are responsible under data protection law. For this reason, together with the Chamber of Pharmacists optimized the internal system of individual pharmacies and fixed the error mentioned”, according to the ministry.
A check by epicenter.works revealed that it is now no longer possible to access all test results of those who are registered.
This is what the start page of “Österreich tests” looks like
© Screenshot
Expensive operation without extensive testing 
The civil rights organization that first
in December serious security problems at Epidemiological Reporting System (EMS)
was still shocked. “Gökhan S. behaved absolutely correctly in the situation by immediately notifying those responsible. Instead of saying thank you, the Ministry of Health made sure that he lost his job. Lohninger demanded an apology from the programmer and calls on the ministry to “immediately increase IT competence in his company”.
The Ministry, however, denied jurisdiction in the specific case. “The Ministry is particularly concerned about compliance with all data protection obligations. Of course, this also applies to the platforms set up specifically for this purpose in the context of the current fight against pandemics,” it says. But that does not apply to the specific case. Instead of an error, there would be “unlawful use of the system”.
The portal austria-testet.at is operated by World Direct, one A1 subsidiary, operated World Direct stated that no data leakage should have taken place via this attack vector. This is known from the access logs.
This booking system for COVID-19 tests cost half a million euros to set up and the Ministry of Health cost 187,000 euros per month, according to a parliamentary question In a “systematic risk assessment ung”, a data protection impact assessment and penetration tests should have noticed this relatively obvious security gap immediately, according to epicenter.works. That would have been “mandatory” when processing sensitive health data.
More on the subject
Note: This article has been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here
