According to the Lower Saxony Ministry of Health, a tip from an anonymous hacker led to a data leak in the state’s vaccination portal being closed before it was actively exploited.
As the Ministry of Health stated on Thursday, a suspected white hat hacker reported on May 7th with detailed information about a data breach on the vaccination portal. According to him, he is only interested in the loophole being closed and he has not saved any of the records of over 1200 people to which he had gained access.
Everyone had access
The one responsible for the development of the Lower Saxony vaccination portal The responsible service provider Majorel was able to understand the attack, it continues: A function was used with which the personal data of those willing to be vaccinated can be searched for and retrieved in vaccination centers. This is necessary in order to find the data record of registered people who visit a vaccination center without their appointment code.
Actually, this interface should only be accessible for vaccination centers and via VPN. As the hacker found out, however, registering as a person willing to be vaccinated on the Citizens’ Portal via SMS for up to two minutes also enabled him to access the interface and query hundreds of personal data records. The gap was closed on the evening of May 7th.
According to the Ministry of Health, a check of the log files by Majorel showed that the loophole described was only successfully exploited 37 times on May 6 and 7, and 1258 personal data records were retrieved. It is assumed that all accesses were made by the friendly hacker and that, as stated, he actually did not save any data.
In this respect, no harm was caused to those affected, the ministry concludes. Nevertheless, it was a data protection violation that was reported to the state data protection officer. In addition, all persons whose data was accessed will be informed of the incident by post in the next few days.