Last week, the Community of Madrid exposed a multitude of personal data of millions of Madrilenians. By simply entering a DNI, it was possible to obtain information such as the telephone number, full name, and physical address. Now, a similar ruling has affected the Department of Health of the Generalitat de Catalunya .
The security breach has exposed the name, ID and all the information regarding the vaccine and the appointment of each citizen of Catalonia. The security breach has been closed this weekend, and in principle it has not compromised any clinical information since only vaccination data is available there. Also, they have no evidence that the data has been leaked or indexed by an attacker.
The bug was fixed this weekend
The group of ethical hackers that discovered this failure is called ” Team Rocket “, and they reported it to the Generalitat and other state cybersecurity organizations . The group did a massive request test to get the attention of the technical department , and it seems that it worked, since they claim that they detected that the self-citation website for the vaccine detected a “number of requests for information out of the ordinary.”
This website, due to its sensitivity, receives continuous monitoring of this type of activity, and they quickly identified access requests outside the normal defined flow. The hackers have confirmed that it was they who carried out these tests, and for this reason they also affirm from the Generalitat that there has not been any improper mass access. However, the data has been exposed, and the information of a specific person may have been accessed from time to time.
Third data management failure in two months
This failure is the third of its kind that we know of in recent weeks, after the two suffered by the Community of Madrid in the COVID certificate portal , as well as in the self-citation system for the vaccine . In the latter, more data was exposed, since the telephone number or date of birth was included.
However, the most serious to date is the one suffered by the web to obtain the COVID certificate, since, just by changing the DNI in the URL , it was possible to obtain personal data such as name, telephone number, address and date of birth, allowing access, for example, data of people residing in the Community of Madrid such as King Felipe VI or President Pedro Sánchez.
The Spanish Data Protection Agency (AEPD) is currently investigating data leaks, as well as whether it will be appropriate to fine for these security flaws. In the case of the COVID certificate website in Madrid, the Community paid 225,000 euros to Indra for its development.