It feels like years ago: aggressive Covid variants circulated in the country, thousands had to go to hospital, some died. Since a “shutdown” was no longer politically acceptable, the compromise was reached: only those who have contributed to collective health are allowed to go to the restaurant or nightclub – and who have also had themselves tested for Covid. This rule not only entailed the obligation to obtain a certificate in Switzerland, but also good sales figures for many test centres.
During this time, the so-called “Corona Test Center” also attracted attention: the company had a clever name. Those who searched for “Corona Test Center” on the internet often ended up with this provider. The locations in Zurich, Liechtenstein and Austria, for example, were visited accordingly. Between December 2020 and November 2022, the test centers were visited by 133,065 Swiss, 19,274 by Liechtensteiners and 873,803 by Austrians.
Such figures usually do not find their way to the public. That this is still the case is due to a serious security flaw: the database of the Covid tests performed was as secure as if you stuck the apartment key on the front door.
This was noticed by a young computer scientist from Switzerland. At the end of October 2022, he read the article “If you take it easy and the web server unintentionally reveals too much” from the journalistic blog “Dnip” (short for: The Internet is political), which discussed a similar vulnerability. He recalls: “I was surprised that about 1,300 Swiss websites were affected because the vulnerability was so trivial. So I wondered if there were any websites on the internet with even more idiotic security loopholes.”
The computer scientist chose a very simple approach: he downloaded the list of all .ch web addresses and automatically checked how many configuration files he could find. “I played around a bit. No special programming skills were required – I just looked at each web address to see if an .env file existed.” To his surprise, there were a few hundred hits.
He was particularly struck by the one at the address “testcenter-corona.ch”: it contained the full credentials for the database that stored 1,035,050 Covid test data. “After the hit, I alerted the appropriate authorities of the federal government. The leak was closed the same day,” he says.
It all happened on November 9, 2022. Not only the Federal Offices of Health and Information Technology and Telecommunications were notified (because it was initially feared misuse of Covid test certificates), but also the National Center for Cyber Security. The following day, the federal government’s data protection officer arrived and received the sensitive dataset more than two weeks later.
The computer scientist recalls: “I didn’t want the data: it contained email addresses, cell phone numbers, Covid test results and corona virus load values. These are sensitive data that should not fall into the wrong hands. I have the evidence retention data downloaded and wanted to see how serious the problem was. And it was very serious because of the sensitive data.”
In other words, without this confirmation, he would not have known that this was a massive data protection incident of international scope.
However, unlike in the EU, Swiss data protection law does not require potential victims of data breaches to be actively informed. The test center could have closed the leak and kept the outage to itself. The computer scientist says: “I handed over all files to the Swiss data protection officer, destroyed all traces on my computer and hoped lessons could be learned from this incident.”
The spokeswoman for the federal data protection officer confirms that the computer scientist has contacted him and that a procedure has been initiated after prior clarification. He continues that “necessary immediate measures have been taken to protect those affected so that there is no immediate danger” and that further investigations “are now well advanced”. There are no more concrete statements because the process is still ongoing.
The data protection authority in Liechtenstein confirms that it has been informed of the ongoing procedure. It also says: “As the controller and processor are not located in Liechtenstein and there are currently no complaints pending with the Liechtenstein DPA, the Liechtenstein DPA currently has a passive role.”
The Austrian data protection authority is silent on the incident. She left a request from Watson unanswered. However, on the Swiss and Liechtenstein side, it is said that the colleagues in Vienna were also involved. “The Austrian data protection authority has received all information from Bern that allows an investigation into the data processing (order processing) in Austria,” says the Liechtenstein authority.
The responsible doctor behind the “Corona Test Center” – an Austrian general practitioner with a practice in St. Gallen – says to Watson. He describes the presentation that data was freely accessible as a “false claim” – he does not prove it.
“According to my information, a hacker has illegally accessed the database. There was arguably only this one entry. The database was immediately taken offline, so no further access was possible,” he wrote in his reply. In it, he also notes: “I note that the data is backed up by an external IT company. The incidents are then also outside my sphere of influence. I am a doctor and not an IT service provider.”
Contrary to the available facts, he continues: “The data was not sufficiently secured. On the contrary, they have been illegally hacked.” He also states that he is clarifying whether the “hacker” has behaved criminally.
More important clarifications are likely to be when and if data subjects will be informed. The general practitioner is located in St. Gallen. However, during the investigation, the authorities in Vienna and Vaduz will have to verify whether the data breach “is likely to pose a high risk to the personal rights and freedoms of natural persons”. In this case, the persons concerned should have been informed “immediately”.
Which had not yet happened on December 21, more than six weeks after the vulnerability was discovered.
source: watson
I’m Maxine Reitz, a journalist and news writer at 24 Instant News. I specialize in health-related topics and have written hundreds of articles on the subject. My work has been featured in leading publications such as The New York Times, The Guardian, and Healthline. As an experienced professional in the industry, I have consistently demonstrated an ability to develop compelling stories that engage readers.
