The Indiana Department of Health revealed this week that due to a cloud misconfiguration, its contact-tracing system inadvertently exposed the email, phone numbers, and other personal details of about 750,000 people.
The incident, which involved the COVID-19 data, has raised concerns about the security of the information collected through similar systems around the world.
Exploitation and abuse of COVID-19 vaccines are on the rise, as the new incident shows. The question is: Is this data sufficiently protected against threats?
Commenting on the contact-tracing incident, State Health Commissioner Kris Box, M.D., said in a statement, “We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social-Security information as a part of our contact tracing program, and no medical information was obtained. We will provide appropriate protections for anyone impacted.”
Although the Indiana data breach involved no medical information, nor the Social Security numbers of people, it showed there is some work to be done regarding the data security.
The Indiana Department of Health was not wrong about the scale of the threat posed by a misconfigured API. Because the third party that accessed the data was a cybersecurity company UpGuard. UpGuard consequently alerted Indiana officials about the cloud misconfiguration.
The Indiana Department of Health claimed that UpGuard gained unauthorized access to its database. The agency also accused that UpGuard “improperly accessed” the data, when UpGuard was trying to help them improve their cybersecurity.
“For one, our company did not `improperly access’ the data. The data was left publicly accessible on the internet,” UpGuard company spokesperson Kelly Rethmeyer said in response to allegations. “This is known as a data leak. It was not unauthorized because the data was configured to allow access to anonymous users and we accessed it as an anonymous user.”
The issue was fixed and the API was secured by the Indiana Office of Technology. But it shows that many local governments may not be fully aware of the various tools and techniques available to help them mitigate cyber threats. Authorities should work with the research community effectively and continuously monitor and mitigate reported vulnerabilities as soon as possible.