Security gaps at coronavirus test centers: Weak passwords, incomplete encryption and no second factor

At the end of June, the hacker collective “Zerforschung” uncovered once again serious security gaps at German Coronavirus test centers. According to the specialists, they had no trouble gaining access to 174,000 data records, including booking confirmations as well as strictly confidential, personal data such as patients’ names, genders, addresses, telephone numbers, e-mail addresses and dates of birth. Also, the test results and, in some cases, even the ID numbers of those affected were available to the attackers.

Massive security breaches at coronavirus test centers – how could this happen?

The passwords for the accounts were generated sloppily and transmitted in an unsecured manner: The “Coronapoint” software used passwords composed of the numbers 0-9 and the letters A-F in ascending order, which made it easy for the hackers to access masses of patient data. This makes Coronapoint already the fifth test center software from which the hackers were able to retrieve large amounts of personal data without much effort. And others have already noticed the security vulnerabilities as well, according to media reports on heise and Golem, among others.

The German Federal Office for Information Security described the incident as a “serious IT security and data protection problem”. As a result, 34 test centers of the operator PAS Solutions in four German states were affected. “Zerforschung” suspects that the security gap is also due to a lack of personnel in the authorities responsible for supervision.

The solution: consistent encryption, strong passwords, and two-factor authentication

Post-incident assessment is a supposedly simple task. With knowledge of the exact modus operandi of the hackers and the vulnerabilities in the affected IT structure, security experts can quickly formulate countermeasures.

But in this case, it was not due to the ingenuity of the “attackers” that the patient data could be stolen, but simply because there was a lack of compliance with simple and basic data security principles. Above all, the careless generation of extremely simple passwords made it easy for hackers to “guess” the passwords using brute force. Apart from that, sensitive digital information such as personal data should never be communicated in plain text as a matter of principle. Otherwise, they are obviously at the mercy of cybercriminals and without protection. The lack of a second factor in user authentication also plays into the hands of attackers. Proof of identity by combining several different and independent components should have long been the norm. Especially true when it comes to protecting personal data!

Business areas that operate with particularly sensitive data (which also includes patient data) should therefore rely on seamless encryption of their data under all circumstances – without exception! Because the additional effort involved is disproportionate to the risk that would be taken without it. And this is usually done without the knowledge of the patients or customers concerned. According to “Zerforschung”, for example, even more than a week after the security vulnerability became known, those affected were not informed by the operator.

Digitalization stands and falls with data protection

To make the digitalization of public life –including visits to the authorities, doctors or, in the future even elections—a success, it needs the acceptance of all users. To convince even the last skeptics of the benefits of digital solutions, incidents like this one should not be repeated. Unfortunately, the reality is different and hardly a week goes by without a new data incident. The consequences for the progress of digitalization are accordingly fatal.

Especially in times when more and more businesses and even strictly regulated industries are migrating their data to the cloud, trust-building IT security measures are of utmost importance. Basic encryption in the transmission, storage and processing of sensitive data should be seen as just as much a non-debatable foundation as the widespread use of strong passwords and two-factor authentication.

You can find out how confidential computing can help protect patient data against unwanted access in this blog post: Confidential computing. Electronic health card: This is how the sealed cloud protects patients data