Northern Ireland suspends vaccine passport system after data leak
Northern Ireland’s Department of Health (DoH) has temporarily halted its COVID-19 vaccine certification online service following a data exposure incident.
Some users of the COVIDCert NI service were presented with data of other users, under certain circumstances, says the Department.
As seen by BleepingComputer, neither the web service nor the mobile app functionality is accessible at the time of writing.
COVIDCert vaccine check service halted after data leak
This week, Northern Ireland’s Department of Health (DoH) has temporarily suspended their COVIDCert online vaccination certification service after a data incident.
The government body says that a limited number of users were potentially exposed to data of other users, causing them to temporarily halt the service.
COVIDCert enables fully vaccinated individuals based in Northern Ireland to obtain a digital certificate confirming their COVID-19 vaccination status.
This is a separate system from NHS COVID Pass used in England & Wales, and a similar “vaccine passport” style service used by Public Health Scotland.
The Northern Ireland service is available via the covidcertni.nidirect.gov.uk website or mobile app for Android and iOS users.
As tested by BleepingComputer, both the COVIDCert website and the mobile app endpoints are down at the moment:
“Our services aren’t available right now. We’re working to restore all services as soon as possible. Please check back soon,” reads one of the error messages thrown by the service.
Whereas, the “resource…removed” message is being shown to users of the mobile app who attempt to log in.
Data incident reported to ICO, not all parties impacted
NI Department of Health promptly reported the issue to UK’s Information Commissioner’s Office (ICO) after becoming aware of it.
“The Department of Health takes the privacy of citizen’s data very seriously and contact has been made with the Information Commissioner’s Office (ICO) as part of due diligence in protecting citizen’s data.”
“Immediate action has also been taken to temporarily remove a part of the service that manages identity,” the Department announced in a notice published yesterday.
Also published is a list of parties not impacted by this incident:
Additionally, the Department states certain individuals who have already filed an application for a digital certificate or are pending identity checks will not be impacted.
They can continue to avail the services normally once operations are restored:
- Applicants (to 31/07) who have lodged an application for an electronic certificate who receive a PDF copy instead will be able to log-in and download an electronic version after the issue is fixed.
- Applicants who are currently undergoing identity validation in the NIDirect workflow can continue. Once successfully validated they will need to pause while we fix the above issue.
- Some users may find they cannot login through their NIDirect account, as they have been locked due to the technical issue.
This data incident, although seemingly minor, comes at a time when there’s much scrutiny and worry concerning COVID-19 vaccine passports among some members of the public.
In recent times, threat actors are constantly eying and have successfully targeted critical healthcare systems with exorbitant ransom demands, as previously reported by BleepingComputer.
Northern Irish DoH is working on resolving the issue and an update is expected to follow soon.
BleepingComputer has reached out to the department with specific questions, including how many users were impacted, and what caused the incident. We are awaiting their response.