A prevention guide for the HSE data leak that left the vaccination information of one million people available was published one year before the incident, according to the security researcher who brought it to light.
A computer glitch meant the HSE’s Covid vaccination portal left the data of one million people vulnerable.
This included the full names, vaccination status and type of vaccination people received.
The issue was discovered in December 2021 by Aaron Costello, security researcher and principal software-as-a-service security engineer at cybersecurity company AppOmni.
Mr Costello disputes the HSE's claim that the data left open by the "misconfiguration" was only accessible to people with "deep technical expertise".
Mr Costello told BreakingNews.ie: "I would have wholeheartedly agreed with them, if it was not for the fact that the year before, October 2020, on my personal blog I published a step-by-step walkthrough methodology on how to perform these kinds of attacks... and how to protect from them. It was to educate people about these types of Salesforce attacks.
"That blog post went quite viral, anyone could have read my blog post, with the HSE site open in their browser, and followed it to extract the information.
"As a result of my research being public on how to perform these kinds of things, I wouldn't say it requires deep technical expertise at all.
"Since that research, there have been automated tools freely available online, so I could have downloaded it on my dad's computer and just followed it through the URL, so I wouldn't agree with that statement."
Mr Costello said he revealed the information to the public as it is something he feels the HSE should have done, along with disclosing it to the Data Protection Commission.
"You can only imagine there was a decision made that took into account the circumstances at the time, which was they wanted mass vaccination for the majority of the population, and this was just several months after the HSE cyberattack by Russian actors. As a result, it would potentially have deterred people from registering because they may not have felt their information was safe.
"I do think that this research being publicised now will definitely have an effect on the trust in the HSE."
He also pointed out that it is unclear where fault for the issue lies, as contractors worked on the vaccine portal.
"This week, I received a Linkedin message from an individual at IBM who said they worked on the project. I was able to find on the IBM website that they had publicly announced they were working on the project. When you take that into account, what responsibility did the contractors have over this project? Were they responsible for administering this website and setting it up? In which case, whose fault it really is, is kind of a grey line."
He also said it is unfair to claim the HSE were not attempting to modernise their cybersecurity, as the Salesforce platform on which the website was based is a modern and up-to-date system.
It was really their attempt to modernise the process, but unfortunately it didn't go as planned.
"There has been a lot of speculation from people about how this happened, and a lot are saying 'oh this is typical HSE, using outdated software and outdated practices'.
"The unfortunate truth is Salesforce is used by the largest organisations in the world as a software, and it was a very modern way of deploying a vaccination portal. It was really their attempt to modernise the process, but unfortunately it didn't go as planned. I do hope it doesn't deter them from pursuing modern practices in the future.
"This issue would not have been immediately obvious to anyone just using the portal, making an appointment. In effect, what happened was, when a user registered, they were given permission on the site to create an appointment and read their appointment details, which is normal.
"However, when configuring the site, they had accidentally given too much read accessibility to everyone who registered. It's as simple as just selecting the wrong box really. Instead of saying 'registered user should be able to see their own information', and just their own, they accidentally configured it to say 'able to read all vaccination appointment information'.
"That's the crux of the issue, it's too many privileges given to registered users."
Mr Costello alerted the HSE to the problem in December 2021, and he said he was impressed with the response.
"I was pleased with how rapid the fix was. The HSE claimed it was the same day. I didn't confirm on that day, but I did get confirmation a week later that it was fixed, so I was pleased with how swiftly they remedied it and all credit to them for that."
However, he feels they "let people down by not being forthcoming about it", and that it was his responsibility to share the information with the public.
"It was only the later discussion about whose responsibility this is to bring it to the public eye and whether the data protection office should be informed. That was where they did let people down.
"I feel it was their responsibility to be more forthcoming about it.
"They said it was a glitch, and that's an outrageous term to use. They stated to me that they saw no malicious attempt to access the data. I had to take their word it was just me. It will be very difficult to get any evidence that it was sufficiently analysed, because these SaaS (software as a service) systems are not like typical websites. They would have had to analyse some very specific sources of log information in order to determine that no data was accessed. Whether they did so sufficiently, and properly, we'll never know.
"Someone called me a whistleblower, which I think is extreme. But as a citizen, I do feel that I have some responsibility for helping to keep public infrastructure safe from malicious actors. It's important to do our bit, especially with the knowledge we have."
While the HSE said no malicious actors accessed the information, Mr Costello said it could have easily happened.
Refusal reason
He also pointed out that vaccine status is considered sensitive information by many people, and that refusal reasons were also available in the leak.
"It is sensitive information. Something important that the HSE skipped over, when they said there would need to be more access for real sensitive data to be available. One of the things that was exposed was the refusal reason for those who did not get vaccinated. If someone suffers from a medical condition that stopped them getting vaccinated or whatever, that would have been available."
You can read Aaron Costello's full blog post here.
