Zerforschung: Another data leak from Corona rapid tests

The Corona pandemic is not only characterized by dire images of overburdened hospitals and much human suffering. Data protection has also played a major role since the beginning of the worldwide respiratory disease. It is not only apps such as the Corona-Warn-App or Luca-App that are being targeted by data protectionists. Data from the so-called “citizen tests” could also be accessed on the web without any problems in some cases. Now a new loophole has become known, which could have given cybercriminals access to sensitive data.

Berlin rapid test provider targeted

Once again, it was the experts at Zerforschung who tracked down the data leak. A Berlin-based provider of Corona rapid tests is said to have been affected. According to the IT experts from Zerforschung, it is said to be serious security vulnerabilities at “Schnelltest Berlin”. The provider’s API functions were accessed even without authorization checks. All that was needed to access personal customer data was a simple account as a user. Anyone who created such an account could easily have downloaded not only test results, but also the most personal data of other users. And there is a lot of this data available at “Schnelltest Berlin”.

The amount of accessible data is really frightening. Zerforschung talks of a total of around 400,000 different customers, from whom it was possible to retrieve not only the test results. In addition, data such as addresses, birthdays, e-mails and telephone numbers were accessible. In addition to the possibility of stealing sensitive user data, the experts at Zerforschung made another gruesome discovery. When users created their own profiles, they were able to issue themselves a Coronatest. They took this to the extreme by having a negative test result issued. Ironically, they chose the user name “Robert Koch”.

IT experts are frustrated

This is not the first time we have had to hear about a Corona-era data breach. Members of Zerforschung are correspondingly annoyed. After all, they have already pointed out abuses in the area of data protection to other providers of rapid tests in the past. So the requests don’t really seem to be having any effect. The IT experts make the following comments in a blog post:

“Whoever offers such software must ensure that it runs without losing data – this is also an important part of data protection.”

Especially the lax handling of extremely sensitive personal user data angers Zerforschung. It would have to change above all also the behavior of the data protection authorities. Apparently, only the threat of severe penalties and enforcement of the same can lead to the fact that finally more care is taken in dealing with personal data. Accordingly, Zerforschung continued to say:

“We are aware that the data protection authorities of the countries are completely overloaded and are happy if the company they are investigating still exists at the end of the investigation. However, they are also our last hope: please finally impose penalties for grossly negligent data leaks – especially in the healthcare sector.”