Ireland Plugs Two-Year-Old COVID Vaccine Portal Vulnerability Exposing Millions of Records
The Irish government has fixed a significant vulnerability from two years ago in its national COVID-19 vaccination portal that exposed the private vaccination records of around one million residents. However, details of this concerning security lapse were not revealed until this week after attempts to coordinate public disclosure with the government agency responsible stalled and ultimately ended without resolution.
Security researcher Aaron Costello said he discovered the high-risk vulnerability in the COVID-19 vaccination portal run by the Irish Health Service Executive (HSE) back in December 2021, about a year after mass vaccinations against COVID-19 began rolling out across Ireland. Costello, who has deep expertise in securing Salesforce systems and now works as a principal security engineer at cloud security startup AppOmni, uncovered a flaw that exposed personal health data on a massive scale.
In a blog post shared with TechCrunch ahead of publication, Costello explained that the vulnerability in the HSE vaccination portal — built on Salesforce’s health cloud platform — allowed any member of the public registering on the site to access the private vaccination records and health information of any other registered user. This extended to the full vaccine administration records of over one million Irish residents, containing highly sensitive details like full names, specific vaccination histories and dosage details, reasons for accepting or refusing vaccines, and other confidential medical data. Costello also found that internal HSE documents were openly accessible to any user through vulnerabilities in the portal.
“Thankfully, the ability to see everyone’s vaccination administration details was not immediately obvious to regular users who were using the portal as intended,” Costello wrote, suggesting the vulnerability was not easily exploitable through normal usage of the site. However, the vast oversharing of private data represented a significant lapse in security practices.
After discovering the vulnerability in late 2021, Costello reported it through the HSE’s responsible disclosure program. The good news is that the agency’s logs show no evidence the vulnerability was ever maliciously discovered or exploited by anyone other than Costello during his testing. “We kept detailed access logs that show there was no unauthorized accessing or viewing of this data,” an HSE spokesperson confirmed in a statement to TechCrunch. The agency also said it acted quickly, stating “We remediated the misconfiguration on the day we were alerted to it,” according to spokesperson Elizabeth Fraser.
While the HSE acknowledged the data exposed by Costello was “insufficient to identify any person without additional data fields being exposed,” the health agency determined that in these specific circumstances “a Personal Data Breach report to the Data Protection Commission was not required” based on its assessment of the incident under Ireland’s data protection laws. Ireland adheres to the strict data protection and privacy requirements of the European Union’s General Data Protection Regulation (GDPR).
Costello’s decision to ultimately go public with details of the vulnerability this week comes over two years after he initially reported it privately to the HSE through its vulnerability disclosure program in late 2021. His blog post outlines a lengthy, winding timeline of attempted coordination between Costello and various government agencies and cybersecurity bodies over responsibility for properly disclosing the issue.
Despite Costello’s persistent efforts to work through approved disclosure channels, the Irish government ultimately declined to publicly acknowledge the vulnerability or share details about it, essentially treating it as if it never existed. This lack of action spurred the security researcher to proceed with independent disclosure to shed light on the incident and prevent potential reoccurrences elsewhere.
Organizations are not legally obligated under GDPR to disclose vulnerabilities that did not provably result in a confirmed data breach or successful theft of personal data by malicious actors. However, many cybersecurity professionals argue there is value in transparent sharing of vulnerability details, as this knowledge can help other organizations improve their security postures and prevent similar incidents from occurring again.
This multi-year saga with the HSE COVID vaccination portal vulnerability, while now resolved, underscores the risks and potential consequences of security lapses in critical systems that handle highly sensitive personal data, especially in sectors like healthcare. It also highlights the vital role that ethical hackers and security researchers play in responsibly discovering and disclosing vulnerabilities through proper channels before they can be criminally exploited.
The incident calls attention to the need for robust cybersecurity practices, sufficient privacy safeguards, and clear vulnerability disclosure policiesto protect confidential citizen data within government technology systems. Furthermore, it exemplifies the importance of transparency and constructive coordination between security researchers and public/private organizations in preventing and mitigating issues that could compromise public trust.
As cybersecurity threats continue to evolve, this HSE case study demonstrates that proactive measures anchored in industry best practices, ongoing security validation, and open collaboration with the ethical hacking community should be top priorities for entities entrusted with managing private data, particularly those operating critical infrastructure and public services.
