No-one knows (yet) if failure has been ‘used’ by third-parties
A failure in the DGS health authority’s SINAVE (epidemiological vigilance) platform allowed access to people’s complete names, their addresses, dates of birth and (NIF) tax numbers.
The news, broken by Público today, suggests it is still unclear whether the failure has been discovered by third parties.
SINAVE was created in 2014, and designed to ‘identify situations of risk, like transmissible diseases, which constitute a risk to public health’.
It is the platform where illnesses like tuberculosis and HIV/ AIDS are registered. Since March 2020 it has been used for vigilance of Covid-19.
Explains Público, a programmer discovered the failure “quite by chance”. All that was needed was to “add a series of characters to the URL”, and ‘hey presto’, the private data base of people’s personal details was suddenly no longer private.
Since being discovered, the failure has been corrected. But as the programmer who discovered it has stressed: “In the wrong hands the information obtained could be sold to cybercriminals, publicity companies and States”.
Today, DGS health director Graça Freitas has said she does not know exactly how many people “may have been affected” by this lapse. “Whatever the case (…) it is a concern, a security problem…” she admitted, stressing that it was fixed ‘rapidly’. This deflects from the bottom line question of how long has this failure been in place? Since 2014? No-one seems prepared to say.