Among the seemingly endless ripple effects of the COVID-19 pandemic are additional opportunities for data breaches. As the world looks for ways to quickly and seamlessly make proof of vaccination, along with COVID testing, available, with that is an influx of health information and identification. Recently, two data breaches in particular highlight the need for solid cybersecurity, particularly when it comes to personal health information.
The breach of Portpass
Portpass is an app that introduces itself as a "user-friendly way for adding, managing and presenting your negative COVID-19 test results and/or proof of vaccination status when required at certain entry points for work, travel, dining and events," according to its website. Essentially, it's a way to prove your vaccination status in a verified way without needing to carry your vaccine card everywhere. It's considered a valuable tool in this changing world.
However, a recent data breach exposed the personal information of thousands of its users. At the time the breach was identified, the app had more than 650,000 users.
In September, after the breach was discovered, the Canada-based app was temporarily taken offline in order to stop the collection of information and to get a handle on the situation. However, at the end of October it was discovered that the breach had continued following the relaunch of the app which included updates. User data from the app was not secure and available to anyone who knew where to find it, according to DataBreach.net. This unsecure data affects more than 17,000 people and includes "email addresses, names, blood types, phone numbers and birthdays," along with images of some licenses and passports.
It's worth noting that unlike many data breaches, this information was not encrypted and available in plain text.
The breach of Paris hospitals
It was announced in September by the French Ministry of Health that more than 1.4 million people who had taken COVID tests in Paris hospitals during the summer of 2020 had information stolen. Included in the breach were the "identities, Social Security numbers and contact details of people tested as well as the identities and contact details of health professionals who dealt with them, along with the test results," according to Security Week.
Apparently, the breach was first noticed because a patient was trying to retrieve their results online and found that they were able to access other patients' data through WordPress. The article states that no other health information was stolen.
A general uptick
These are just two of the data breaches that have occurred throughout the world recently. An article on GovTech.com discusses how COVID-19 has led to a major uptick in cybersecurity attacks and the exposure of personal health information due to increased telework opportunities (and in turn, mistakes), more phishing links with viruses and more information being available online. Companies of all sizes throughout the world were left scrambling to pick up the pieces and come up with new plans to keep business flowing during the pandemic, and it's thought that hackers saw that as an opportunity. With the focus shifting to "survival mode" in many cases, blind spots were left open.
Cybercriminals have taken advantage of peoples' distractions and emotions during these uncertain and unprecedented times, using phishing emails linked to COVID-19 to play to the heightened emotional landscape. They're also no stranger to the fact that many people who haven't been properly trained to work from home are now doing exactly that, while connected to their employers' servers.
And in some scenarios, even the announcements of the breaches were overshadowed by the coronavirus news sweeping the world. A few cases in particular where this was evident was with Princess Cruises. The cruise company announced a data breach which exposed the personal information (including names, addresses, Social Security numbers, and IDs) of employees and guests, following the announcement that COVID-19 outbreaks took place on two of their ships. Whether this announcement was structured this way to overshadow the data breach is unknown. The same goes for a breach announced in 2020 by Samsung, only saying that "small numbers" of its users were affected, per the GovTech article.
Already the number of 2021 data breaches have exceeded those numbers from 2020 in the United States. And while those are tangible numbers we can assess, the fact is that it may take some time to see exactly how much of an impact the COVID-19 pandemic has had on cybersecurity, hacking opportunities, and the world's personal data.
With everything happening in the world, a new look at cybersecurity and online protection is not only important, but necessary for the wellbeing and security of people around the globe.