Northern Ireland’s Department of Health (DoH) has halted for a short period its COVID-19 vaccine certification online service following a data exposure incident.
Some of the users of the COVIDCert NI service were already presented with data of other users, under some situations, mentioned by the department. According to the researcher of the experts, neither the web service nor the mobile application feature is accessible at the time of writing.
COVIDCert Vaccine Check Service Interruption after Data Leak
This week, Northern Ireland’s Department of Health (DoH) has temporarily stopped its COVIDCert online vaccination certification service after a data incident.
The government body says that a limited number of users were probably revealed to information of other users, causing them to temporarily interrupt the service. COVIDCert permits complete vaccinated individuals based in Northern Ireland to generate a digital certificate confirming their COVID-19 vaccination status.
This is a separate system from NHS COVID Pass used in England & Wales, and the same “vaccine passport” style services utilized by Public Health Scotland. The Northern Ireland service is available via the covidcertni.nidirect.gov.uk website or mobile applications for Android and iOS users.
As tested by the COVIDCert website and the endpoints of the mobile application are not working at the moment:
“Our services are temporarily suspended right now. We are working to restore all the services as soon as possible. Please go through the back soon,” one of the error messages provided by the service. Whereas, the “resources…..removed” message is being displayed to users of the mobile application who try to log in.
Data Incident Reported to ICO, not all Parties Affected
NI Department of Health promptly reported the issues to UK’s Information Commissioner’s Office (ICO) after becoming aware of it. “The Department of Health takes the privacy of citizen’s information very seriously and contact has been made with the Information Commissioner’s Office (ICO) as the part of due alertness in protecting citizen’s data.”
“Urgent action has also been taken to temporarily remove a part of the service that handles identity,” the Department revealed in a notice published yesterday. Below are the lists of parties not harmed by the incident:
- Applicants (currently up to and including 31/07) who already have their certificate will not be impacted by this – their apps or paper copies are still operational.
- Applicants (to 31/07) who have lodged an application using the online portal for a downloadable PDF who have not yet received it will not be impacted by this – their PDF will be delivered.
- Applicants (to 31/07) who have lodged an application using the COVIDCert NI app for an electronic certificate who have not yet received it will not be impacted by this – they will be sent a PDF as an interim step.
Moreover, the Department states certain individuals who have already filed an application for a digital certificate or are still pending identity check will not be harmed.
They can constant use the services normally once operations are restored:
- Applicants to 31/07 who have implanted an application for an electronic certificate who get a PDF copy instead will be able to log in and download an electronic version after the issue is resolved.
- Applicants who are recently undergoing identity validation in the NIDirect workflow can continue. Once successfully validate they will need to pause while we resolve the above-mentioned concern.
- Some of our users may find that they cannot log in through their NIDirect account, as they have been locked due to some technical issue.
This data incident, although seemingly minor, arrives at a time when there’s much analysis and worry concerning COVID-19 vaccine passports among some members of the public. In recent times, threats actors are continuing to have an eye and have successfully targeted sensitive healthcare systems with enormous ransom demands, as prior reported by our experts. Northern Irish DoH is working on fixing the concern and an update is expected to follow soon.