January 24, 2024 at 02:32AM
A password-less database with 1.3 million Dutch COVID-19 testing records was exposed online, including personal data like names, birth dates, and passport numbers. The database belonged to CoronaLab, a recommended commercial COVID-19 test provider in the Netherlands. Despite attempts to notify them, no response was received, and it took three weeks to secure the database. The duration and impact remain unclear.
Based on the meeting notes provided, it appears that a password-less database containing approximately 1.3 million sets of Dutch COVID-19 testing records was left exposed to the open internet. The database belonged to CoronaLab, a commercial COVID-19 test provider in the Netherlands. The exposed information included a significant amount of personally identifiable information such as patient names, dates of birth, passport numbers, and email addresses.
Jeremiah Fowler discovered the leaky database, which remained open for nearly three weeks before being secured from public access. Despite his repeated attempts to reach out to CoronaLab and its parent company, Microbe & Lab, no response was received.
The lack of response from the organizations involved and the unavailability of the CoronaLab website raise concerns about the extent of the database exposure and whether affected individuals have been informed. Additionally, there is uncertainty about whether European data protection authorities, particularly the Dutch Data Protection Authority, have been notified as required by the EU General Data Protection Regulation.
It is imperative to determine the responsible party and take appropriate action to address this serious data breach, including notifying affected individuals and relevant authorities in accordance with GDPR requirements. The unresponsiveness of CoronaLab and Microbe & Lab is troubling, and efforts should be made to obtain more information and hold them accountable for this incident.