Northern Ireland's Department of Health (DoH) has temporarily halted its COVID-19 vaccine certification online service following a data exposure incident.
Some users of the COVIDCert NI service were presented with data of other users, under certain circumstances, says the Department.
As seen by BleepingComputer, neither the web service nor the mobile app functionality is accessible at the time of writing.
COVIDCert vaccine check service halted after data leak
This week, Northern Ireland's Department of Health (DoH) has temporarily suspended their COVIDCert online vaccination certification service after a data incident.
The government body says that a limited number of users were potentially exposed to data of other users, causing them to temporarily halt the service.
COVIDCert enables fully vaccinated individuals based in Northern Ireland to obtain a digital certificate confirming their COVID-19 vaccination status.
This is a separate system from NHS COVID Pass used in England & Wales, and a similar "vaccine passport" style service used by Public Health Scotland.
The Northern Ireland service is available via the covidcertni.nidirect.gov.uk website or mobile app for Android and iOS users.
As tested by BleepingComputer, both the COVIDCert website and the mobile app endpoints are down at the moment:
"Our services aren't available right now. We're working to restore all services as soon as possible. Please check back soon," reads one of the error messages thrown by the service.
Whereas, the "resource...removed" message is being shown to users of the mobile app who attempt to log in.
Data incident reported to ICO, not all parties impacted
NI Department of Health promptly reported the issue to UK's Information Commissioner's Office (ICO) after becoming aware of it.
"The Department of Health takes the privacy of citizen's data very seriously and contact has been made with the Information Commissioner's Office (ICO) as part of due diligence in protecting citizen's data."
"Immediate action has also been taken to temporarily remove a part of the service that manages identity," the Department announced in a notice published yesterday.
Also published is a list of parties not impacted by this incident:
- Applicants (currently up to and including 31/07) who already have their certificate will not be impacted by this – their apps or paper copies are still operational.
- Applicants (to 31/07) who have lodged an application using the online portal for a downloadable PDF who have not yet received it will not be impacted by this – their PDF will be delivered.
- Applicants (to 31/07) who have lodged an application using the COVIDCert NI app for an electronic certificate who have not yet received it will not be impacted by this – they will be sent a PDF as an interim step.
Additionally, the Department states certain individuals who have already filed an application for a digital certificate or are pending identity checks will not be impacted.
They can continue to avail the services normally once operations are restored:
- Applicants (to 31/07) who have lodged an application for an electronic certificate who receive a PDF copy instead will be able to log-in and download an electronic version after the issue is fixed.
- Applicants who are currently undergoing identity validation in the NIDirect workflow can continue. Once successfully validated they will need to pause while we fix the above issue.
- Some users may find they cannot login through their NIDirect account, as they have been locked due to the technical issue.
This data incident, although seemingly minor, comes at a time when there's much scrutiny and worry concerning COVID-19 vaccine passports among some members of the public.
In recent times, threat actors are constantly eying and have successfully targeted critical healthcare systems with exorbitant ransom demands, as previously reported by BleepingComputer.
Northern Irish DoH is working on resolving the issue and an update is expected to follow soon.
BleepingComputer has reached out to the department with specific questions, including how many users were impacted, and what caused the incident. We are awaiting their response.
"The Northern Ireland COVID Certification Service will be available from 9am on 30 July for those travelling on 1 August in the first instance."
"Some applications will be processed manually and applicants will be contacted via email on what to do as they progress."
"We must insist that those travelling outside of the 1 August do not apply, or they will simply delay the full restoration of normal services," further announced DoH.
Update 30-Jul-2021 02:13 ET: Added subsequent announcement from NI DoH.
Comments
rp88 - 2 years ago
Pretty much inevitable. This is why countries should start trusting people to do the right thing, and do so uncoerced, and let people live with their own medical choices, rather than building dangerous surveillance infrastructures which disrupt normal life and the economy for scientifically illogical* reasons.
*Once you've had the vaccine you have nothing to fear from covid whether those around you are vaccinated or not, infected or not. Surveillance only damages mental health and makes the most socially vulnerable people (poor, disabled, mentally ill, recently arrived immigrants, religious minorities...) more excluded from society.