County covid vax data breached

[BoylermanCT]

CT decided the best way to keep the COVID registry safe was to give schools access to it. Simply make it public and no one will try and steal it!

 

[Midniteoyl]

I have found documents online at the County Courthouse with my SS number in them. People that want to search can find about anything they want.

The best protection I found was the ability to receive text messages for any charge over $20 on my accounts. I guess I could have set the limit for any amount. If they compromise my money they won't get far or with very much.

Agreed. All of mine are set to $1 where I can, and I usually get the text chime before I am done at the register.

 

[Midniteoyl]

Hopefully this thread doesn't go off the rails, but I'm not holding out hope. BTW, I've been vaxxed.

However, I just got a letter in the mail from the County Commissioners Court that their database was breached and names, DOB, phone number, Covid 19 vax data and email addresses may have been accessible to anonymous users. I don't know why this one seems to chap my butt so much, maybe I'm just getting more cantankerous as I age, but this is the type of thing that has all of us losing confidence with our public and government entities. With the uphill battle to encourage people to get vaccinated, surely this doesn't help. I'm not sure there's a better example of shooting yourself in the foot.

On a bigger note, this again brings up the issue of personal data security and liability for those that collect and store our personal data, in many cases, without you knowing or approving of it. I guess we live in an age where you have to assume nothing is private anymore.

Why a registry in the first place?

 

[Diggin It]

But this county health department hack was most likely a local individual.

"In the notification, the county said it was not aware of any instances that the information was “misused,” but it advised anyone whose information was affected to be vigilant against fraudulent activity.

“There is no indication that this vulnerability was exploited, nor is there evidence that any data has been misused,” a county spokeswoman said.


The malfunction in the app, which was operated by Microsoft, was responsible for revealing 38 million records from 47 entities that use the software, UpGuard Research said.


Governmental agencies in Indiana, Maryland and New York and private businesses including Ford, American Airlines and J.B. Hunt were also affected. The unsecured data from companies included employee contact information, drug testing information and Social Security numbers.

Denton County said it never collected Social Security or driver’s license numbers or financial account information.


UpGuard Research said in a written statement that it notified Denton County officials of the breach July 7 and that the data was secured the same day.


Microsoft said in a written statement that it takes “security and privacy seriously” and encouraged its users to “use best practices” for internet privacy."

MSN

"Several city governments also had data leaks, most notably the New York City Municipal Transportation Authority and the NYC Department of Education. Each of these exposed personal contact information stored for various purposes, including 291,955 records that may have contained the personal information and home addresses of minors. Denton County, TX also saw a data leak from its vaccination tracking system.

It is not clear if any of this data was exposed to threat actors. However, it is hard to tell given that poorly configured records could be easily located and accessed via a simple Google search. The breach window is also unclear. Microsoft Power Apps has been available to the general public since late 2016. Microsoft’s position is that this is not actually a “data leak” but a case of end users not using the product in the way it was intended."

"“This touches on a couple of historically interesting facts. One, a lot of Microsoft products in the past have started off giving wide access to data and resources by default. It was left up to users and administrators to take action and lock things down. "

Microsoft Power Apps Data Leak Fallout: 38 Million Records Exposed, State and City Governments Among Those Breached - CPO Magazine

Microsoft Power Apps appears to list all data types as public unless the default settings are changed. The data leak exposed several coronavirus tracing and vaccination portals, as well as at least one job applicant database that contained social security numbers.

www.cpomagazine.com

This doesn't appear to have been a 'hack' in any form by any actors, foreign or domestic, but rather a simple misunderstanding of how to properly secure records.


Jumping to conclusions isn't such a great exercise.

 

[MossRoad]

Why a registry in the first place?

So people don't get 4,5,6 shots.

 

[MoKelly]

So people don't get 4,5,6 shots.

I’m about to get #3 in less than 8 months.

MoKelly

 

[cjoffutt]

Why a registry in the first place?

So they know who to round up later??? Why does the gov't have a registry for anything....

 

[Tinhack]

So people don't get 4,5,6 shots.

From what I heard, you may need to. It seems the vaccines may only be good for six months or less. I also heard this could go on for 2-3 more years, perhaps more with the variants. I'm ready for number 3 because I don't want to die a torturous death.

And the masks are only good for keeping you from inhaling virus covered sputum. They don't stop the virus in free air. The virus is small and passes through the masks.

 

[cqaigy2]

It happens all the time, and far more to corporations on a daily basis. Most government agencies, particularly at the county levels, rarely protect their network systems and their database is usually available wide open to be copied. They simply lack funding and sufficient experience to protect their networks.

Very lucky your county health department did not take your SSN down for your vaccine record. That would have made the database theft more significant.

That's part of collecting only the data required for the job(jab) at hand, so to speak. When involved in development of systems like this, you'll see all kinds of data being requested for these projects and when you press them on what it will be use for, you usually find out it's not needed. So for instance, if you want to keep track of how many of what jabs a person gets, what do you need? Some sort of identifier, what was used, when jabbed? How important is it if you get a unique identifier for each person. So if you decide you really need unique, then first name, middle name and last name isn't enough.......

 

[ericm979]

Having a unique ID for people is a hard problem. There are duplicate SSNs for example.

Most of the data hacks these days are from criminal or state sponsored groups. Sometimes its a mix. A number of criminal gangs operate in Russia with the tacit approval of the government, as long as they don't attack targets in Russia. The days of 400lb guys in their moms' basement hacking for lulz is long gone.