A major data breach at Testcoronanu, a coronavirus testing company, made it possible to get fake travel certificates and admission tickets in the CoronaCheck app — without even taking a test.
But by adding just two lines of code in their web browsers, people could fill in their details, enter what kind of test they wanted, when they took it, and what the result was, reports RTL Nieuws. It was also possible to manipulate the test results or testing dates of others — for example, by marking a negative test as positive.
Experts say these kind of fake test results are not only a danger to public health — but can also have a detrimental impact on the public’s confidence in the CoronaCheck app.
Data of 60,000 people leaked
As if that wasn’t enough, the leak gave access to the private data of over 60,000 individuals. This included not only names and email addresses but also phone numbers, residential addresses, BSNs, passport numbers, and medical information, such as whether an individual has tested positive in the past.
“Testcoronanu.nl manages your personal data with the greatest care,” reads the company website, a laughable message in the wake of the scandal.
“This data breach is very shocking,” tells Frederik Zuiderveen Borgesius, professor of ICT & Law at Radboud University, tells RTL Nieuws.
“It doesn’t get much more sensitive than this. This is exactly what medical privacy is for: that people dare to get tested because they trust that their data is safe,” he adds.
Official testing partner
Testcoronanu was not only recommended by the government as one of the affiliated travel test providers, but also received subsidies to operate.
The company has 10 testing locations in the Netherlands and three in Belgium, all of which have been closed since Sunday.
The Ministry of Health, Welfare and Sport is now investigating how the company was accepted as an official testing partner.
Very serious breach
The Dutch Data Protection Authority classifies this breach as very serious. Testcoronanu may only start testing and processing data again if “security and reliability are guaranteed.”
The Ministry of Health, Welfare and Sport says that there are no indications that anyone else except the RTL Nieuws journalists had access to the database.
How do you feel about this data breach? Tell us in the comments below!
Feature Image: Gaudilab/Depositphotos