How a user access bug in Ireland’s vaccination website exposed more than a million records

Irish Prime Minister Micheal Martin (L) bumps elbows with Brenda Dillon, assistant director of nursing at the Irish Health Service Executive (HSE) after receiving his first dose of the AstraZeneca/Oxford vaccine against the coronavirus covid-19, at the vaccination centre at City Hall in Cork on May 9, 2021
(Image credit: Getty Images)

A security researcher has revealed details of a massive data leak that left the vaccination records of a million people in Ireland exposed.

Aaron Costello, principal security engineer at AppOmni, discovered the vulnerability in the Covid-19 vaccination portal run by the Irish Health Service Executive (HSE) back in December 2021.

Since the discovery, he has been unable to agree to a disclosure process - but has decided to publish now.

The data exposed by the vulnerability included vaccine recipients' full names, their vaccination status and the type received, and more. The leak also compromised HSE documents containing information about internal IT issues and processes, along with documents belonging to staff members.

The vulnerability derived from the fact that the vaccination portal, developed by the HSE with Salesforce Health Cloud, granted registered users excessive permissions, allowing any individual to sign up to the portal through a self-registration form.

All registered users were given a specific profile, allowing them to carry out actions using the vaccination portal’s user interface, such as register for a vaccination or view their own personal vaccination appointment details.

All this information was stored in various tables of data within the Salesforce Health Cloud application.

"Unfortunately, the individuals who had configured the profile’s permissions had accidentally granted the profile an unprecedented level of access to the Health Cloud object that is responsible for storing information specifically about vaccination administration," Costello said.

"Furthermore, the same profile had accidentally been granted read access to a folder containing internal HSE documents. Because of that, sensitive information could have been downloaded and distributed by anyone who had registered to the portal."

A malicious user, Costello revealed, would have been able to access the data by registering to the vaccination portal and being automatically assigned the over-privileged Salesforce profile.

Through the API, they could then view all objects within the Salesforce platform, including those belonging to the Health Cloud application, iterate over the list of available objects and attempt to access the data within them, thousands of rows of data at a time.

The HSE moved quickly to investigate, and the data doesn't appear to have been accessed.

"We can recognize that this vaccination portal was deployed during a particularly chaotic period in which many governments across the world were scrambling to provide a single streamlined vaccination management solution for its citizens,” Costello said.

The vulnerability was discovered just months after a major ransomware attack on the HSE. The personal data of more than 100,000 patients was hacked in what minister of state for public procurement and eGovernment Ossian Smyth described as "possibly the most significant cyber attack on the Irish State".

All HSE IT systems nationwide were shut down, and months of disruption followed, with the incident estimated to have cost more than €100 million.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.