Unsecured database with medical records found, a flawed vaccination confirmation app and more.
Welcome to Cyber Security Today. It’s Friday October 29th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
More clumsiness to report on: An unsecured database with medical records of thousands of Americans has been found, while a flawed COVID-19 vaccination app has been discovered.
The 68GB database that didn’t have password protection was found sitting open on the internet by researchers for the news site Website Planet. It belongs to an American medical data processing company. Some of the data was encrypted, like patient ID numbers, but it included physicians’ notes about patients. After being notified the company secured the database.
Meanwhile another bug has been found in a COVID-19 vaccination confirmation app. This time it was an app called Docket, approved by the states of New Jersey and Utah. The news site TechCrunch discovered the flaw. Briefly, it allowed anyone’s QR code to be accessed. The QR code holds a digital copy of the proof of vaccination, including their names and dates of birth. The code is only supposed to be accessed on the smartphone the app is on by checking the numeric user ID. The flaw was that anyone could change the user ID numbers, so any QR code could be accessed. It’s not known if a hacker figured this out and has a lot of stolen personal information. It’s also not known how this flaw was missed by developers.
Making employees work from home because of the pandemic has accelerated the trend of remote working. It’s also accelerated cyber risks. A report this week released by HP Wolf Security found that since working more from home employees have been ignoring their corporate IT departments. They are buying, installing, and using IT equipment unsanctioned – without considering security. They are also clicking on potentially harmful links without reporting it to IT. For example, 30 per cent of people surveyed in six countries said they have been clicking more on malicious links since working from home. Thirty-five per cent of Canadians admitted making this mistake. The report says organizations have to embrace a new way of managing security to enable employees to work both at home and in the office.
Sometimes a bit of international pressure works on big tech companies. That’s one of the possible lessons from combining the weight of privacy commissioners from six jurisdictions including Canada and the United Kingdom. They recently asked five of the biggest video teleconferencing providers – including Microsoft, Google, Cisco Systems and Zoom – to explain their privacy and data protection policies for the video calls people and companies make over their systems. To their credit, those four providers replied. In a letter this week the privacy commissioners said they appreciated the open dialogue with the companies. Now, maybe these providers are enlightened. But the privacy commissioners said they learned that by working together they can be effective. The commissioners will likely work collaboratively again.
There’s a link here to what the privacy commissioners learned.
Finally, later today the Week in Review edition of this podcast will be out. A guest commentator and I will talk about the Nobelium supply chain attack, growing hiring in cybersecurity jobs and more.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.