Name, place of residence, mobile phone number: Such sensitive data from people who had registered for a PCR test in two Franconian test centers were temporarily available on the Internet. One regrets the incident very much, said the Arbeiter-Samariter-Bund (ASB) Bavaria as operator on Friday. “The ASB immediately closed the data gap and increased the level of protection.” Previously had t-online reported on the data breach. The test center in the Forchheim district and the joint center of the city of Erlangen and the Erlangen-Höchstadt district are affected.
Actual data access unclear
“Something clearly seems to have gone wrong here,” said Andreas Sachs, Vice President of the Bavarian State Office for Data Protection Supervision, of the German Press Agency. “This data should not be made available to unauthorized persons. That is very clear.” Sachs limited, however, according to a preliminary assessment of the office, the data leak is not seen as a “serious security incident”.
It is unclear whether unauthorized persons actually accessed the data. The ASB announced that it was being examined comprehensively, and that this could not be assumed at the moment. The document was via a search engine t-online according to not to be found.
“Incorrect permission settings” in Google Docs
According to its own information, the ASB works with an external call center based in Berlin to make appointments. The appointments – together with the personal data – were saved in Google documents, i.e. in files that several users can access online. The problem: Anyone who had the link to this document could t-online-According to the report, access without further ado and view the sensitive data: Name, place of residence and telephone number in Forchheim, nationality, date of birth, address and email address in Erlangen. ASB Bayern spoke of “incorrect authorization settings” by a call center employee with a view to the Forchheim center.
Robert Ziegenfelder, managing director of ASB-Emergency Aid Erlangen, presented the matter differently on this point: A password was necessary to access the appointment list of the Erlangen center.
1600 people affected – test results were not stored
Health data such as test results were not included in the documents. “These data were never visible to third parties,” the ASB clarified. According to the ASB, it affects 1,600 people who had agreed to have PCR tests at one of the two centers. According to Ziegenfelder, the data leak was closed immediately after one on Thursday through the t-online-Research found out about it.
It is unclear since when the appointment allocation was regulated – and thus how long unauthorized persons could have access to the data. The company has been working with the external service provider since the beginning of September, said Ziegenfelder. According to the State Office for Data Protection Supervision, the incident is being processed. This is a standard process, said Sachs.
Not the first case
According to the authority, the data breach in Franconia is not the first case of inadequate data protection in Bavarian test centers. There were further grievances in a single-digit number of cases, said Sachs. These were noticed partly through complaints, partly through research by the office. In these cases, however, it was less about documents available online than about security gaps in the software for scheduling appointments.
Log data had shown, however, that no one was able to gain access. “You were lucky,” said Sachs. At the same time, he made it clear: “It’s not a mass phenomenon.” You don’t have to worry: “I had myself tested once and now my data is gone.”