Data protection lessons to be learned following COVID-19 app data breach
As scientists and technologists around the world race to find solutions to the coronavirus crisis, apps are quickly being developed with data protection being compromised. However, caution should be taken in relation to how personal information such as gender, age, medical information and location will be stored, processed and shared. At a time of crisis, new tech will be introduced quickly and will likely be adopted rapidly. But it is possible that many of the standard security checks won't be as stringent as usual.
Highlighting this issue, a Covid-19 Alert app, developed in the Netherlands, suffered a data breach last week1 when its source code was published online for the purpose of government shortlisting. The rushed action resulted in around 200 names, email addresses and hashed user passwords from another project being exposed.
Data protection should remain front of mind
Commenting on this breach and the impact on data protection, Kingsley Hayes, our managing director at data breach and cybercrime said:
"The current pandemic has made a significant impact on businesses and people, placing unprecedented pressure for a solution and an end to the challenging circumstances we all find ourselves in.
"The race to develop and launch apps to track the spread of Covid-19 has started but the fundamental issue of data privacy is being lost. The data breach suffered in the Netherlands was a result of human error and time pressure exposing the details of nearly 200 individuals in the process.
"The breach occurred in the early stages so while the damage was relatively limited, it's a sobering thought that the country's population of in excess of 17 million people could have been using the app with poor security systems and processes in place.
"Reporters at the Guardian were able to access confidential documents relating to the NHSX Covid-19 tracking app being developed in the UK via an unrestricted portal earlier this month2. The memo stated that MPs could be given the right to identify individuals via their smartphones - an alarming fact that has been denied by NHSX.
"There is no doubt that a timely solution to the crisis is urgently required however, data protection must not be a secondary thought. The violation of confidential medical data in these circumstances can have far reaching future consequences for individuals including potentially restricting freedom of movement and impacting employment.
"Researchers in Boston have proposed solutions utilising anonymised ID numbers for users which would serve to both help track and control the virus, while simultaneously preserving individuals' rights to privacy.
"We find ourselves in incredibly challenging times but while an imminent end to the crisis is sought, data protection, and the damaging effects of data breaches, should remain front of mind."