“Design in haste, repent at leisure”

Monday 25 October 2021

After security issues in Jersey's vaccine passport system emerged last week, a local lawyer has explained why he believes covid-related data is now part of the front line of cybercrime.

Advocate David Cadin, Jersey Managing Partner at Bedell Cristin, had this to say…

The news that just hours after it was launched, a security flaw was discovered in Jersey's digital covid-19 certificate is disappointing but probably not surprising.

Design in haste and repent at leisure may be a fair reflection of the development process. It does however underline some of the challenges of vaccine passports that I wrote about a few months ago.

But we are not alone in facing these issues.

Digital Covid passport schemes are being rolled out across the globe and a cursory search suggests that a number of them have suffered from security flaws:

• "Belgium’s app that verifies coronavirus vaccinations reported a data leak, just days before Brussels is set to require people to prove they’ve been jabbed in order to enter restaurants."
• "Canada - Private proof-of-vaccination app Portpass exposed personal information, including the driver's licences, of what could be as many as hundreds of thousands of users by leaving its website unsecured."
• "An independent report has revealed a data breach in the Indonesian government's covid-19 test-and-trace mobile app, potentially affecting records of around 1.3 million users."
• "Around 38 million records from north of a thousand web apps that use Microsoft's Power Apps portals platform were left exposed online, according to researchers. The records are said to have included data from covid-19 contact tracing efforts, vaccine registrations and employee databases, such as home addresses, phone numbers, social security numbers and vaccination status." (Engadget August 2021)
• "The covid vaccine passport scheme in Northern Ireland has suffered a data breach, resulting in some users receiving other users’ personal information."

The fact that so many of these digital schemes have had security issues is probably in part, a reflection of the challenge these vaccine passport schemes present in terms of managing sensitive data, on behalf of huge numbers of people, and making that data readily accessible whilst simultaneously ensuring that it is entirely secure.

The fact that many of these schemes have been created under huge time pressures, against a backdrop of political promises that normality would soon be restored, and fervent debate about civil liberties has just compounded the difficulty.

The issues with the Jersey scheme apparently mean that information about a person's vaccine status and their certificates could be accessed without their permission. So what? Is anyone really interested in stealing information about someone's vaccine status? 

It turns out that they may well be.

The French media recently reported that "hackers stole the personal data of around 1.4 million people who took covid-19 tests in the Paris region in the middle of 2020" and that "French hospitals have been the targets of hackers and ransomware attacks since the start of the covid epidemic".

Vaccine programs and healthcare systems across the world are all being targeted, and the obvious attractions are that systems created in haste, contain sensitive personal data on millions, and there is money in that data (just look at the £636m fine imposed on Amazon for breaches of European data rules in July 2021).

Personal data (even data about your vaccine) can be sold and then used for scams or cloning or identity theft; it can be used to facilitate phishing attacks by cloaking the approach with a veneer of legitimacy; or it may just amount to good old fashioned industrial espionage. Like it or not, covid-related data is now part of the front line of cybercrime. 

So the record of someone's vaccine status matters; not just to the individual but collectively to all of us.

We need to be able to trust those to whom we give our data; we need to be able to trust the data that is shared with us; we need to know that sharing our data is not going to open us to exploitation. Without that trust, all of these schemes fall down and that is not going to help anyone.

So well done Jersey for spotting the flaw and halting the roll-out.