Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password protected database that contained nearly 1.3 million records, which included COVID-19 testing information and personally identifiable information such as the patient’s name, date of birth, and passport number.
Jeremiah Fowler writes:
The publicly exposed database contained an estimated 1.3 million records that included 118,441 certificates, 506,663 appointments, 660,173 testing samples, and a small number of internal application files. The exposed certificates and other documents were all marked with the name and logo of Coronalab.eu. Although the website appears to be offline, Coronalab is owned by Microbe & Lab, an ISO-certified laboratory based in Amsterdam, Netherlands. According to the NL Times, “CoronaLab is one of the two largest commercial test providers in the Netherlands”. I sent multiple responsible disclosure notices and did not receive any reply and several phone calls also yielded no results. The database remained open for nearly 3 weeks before I contacted the cloud hosting provider and it was finally secured from public access. In most cases the organization replies or closes public access immediately after receiving a responsible disclosure notice. Another research-based online publication, Cybernews, claimed to have found a similar leak around the same time of my discovery. I cannot confirm if it’s related or not.
The exposed COVID test records contained each patient’s name, nationality, passport number, and test results, as well as the price, location, and type of test conducted. The database also contained thousands of QR codes and hundreds of.csv files that showed appointment details and many patients’ email addresses.
Read more at vpnMentor.