In December 2021 [1] [3] [6] [8], a misconfiguration in the HSE COVID Vaccination Portal [1] [3], developed with Salesforce Health Cloud and operated by Ireland’s Health Service Executive (HSE), led to a security breach discovered by researcher Aaron Costello.
Description
This misconfiguration allowed registered users excessive permissions [4], resulting in the exposure of sensitive Personal Identifiable Information (PII) and Protected Health Information (PHI) of over a million Irish citizens [2], as well as internal HSE documents [1] [3]. The bug enabled unauthorized access to names, immunization status [7], vaccine type [7], appointment details [3], and other confidential data. Promptly remediated in January 2022 after being reported by Costello, the flaw in the Salesforce health cloud-based portal showed no evidence of further unauthorized access. The misconfiguration [1] [2] [3] [4] [5] [6] [7] [8], attributed to time pressure during the vaccination program [3], granted users more permissions than necessary to access sensitive information. Recommendations for preventing similar incidents include implementing the principle of least privilege [3], regular permission model reviews [1] [3], data classifications [1] [3], monitoring logs for data exfiltration attempts [1] [3], and auditing the platform’s configuration [1] [3]. This incident occurred shortly after a major ransomware attack on the HSE [4], highlighting ongoing cybersecurity challenges faced by the organization [4]. Salesforce has since implemented changes to enhance security [6], such as a health scanner to identify vulnerabilities and improved logging for user activity analysis. However, there remains a knowledge gap in the industry regarding SaaS platform security and the responsibility for securing them [6].
Conclusion
The misconfiguration in the HSE COVID Vaccination Portal had significant impacts [3], exposing sensitive data and highlighting cybersecurity challenges. Mitigations such as implementing least privilege and regular reviews can help prevent similar incidents in the future. The incident underscores the importance of robust security measures in SaaS platforms and the need for ongoing vigilance in protecting sensitive information.
References
[1] https://ciso2ciso.com/hse-misconfiguration-exposed-over-a-million-irish-citizens-vaccine-status-source-www-infosecurity-magazine-com/
[2] http://buaq.net/go-228202.html
[3] https://www.infosecurity-magazine.com/news/hse-exposed-irish-vaccine-status/
[4] https://www.itpro.com/security/how-a-user-access-bug-in-irelands-vaccination-website-exposed-more-than-a-million-records
[5] https://bnnbreaking.com/tech/irish-covid-19-vaccination-portal-leak-exposed-million-records-security-flaw-fixed-after-two-years
[6] https://www.darkreading.com/cyberattacks-data-breaches/nhs-breach-hse-bug-expose-healthcare-data-british-isles
[7] https://theliberal.ie/hse-misconfigured-the-database-containing-vaccine-information/
[8] https://techcrunch.com/2024/03/13/security-flaw-irish-government-hse-covid-19/
