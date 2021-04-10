ofRaffael Scherer shut down

Because of a security gap, the personal data of thousands of visitors from nine corona test stations could be viewed by anyone for several hours.

Munich – Security experts from the IT collective “Zerforschung” have encountered a huge data leak. Like reporters from the RBB, NDR and MDR announced, the personal data of several thousand people tested for the coronavirus were publicly available for several hours. Name, address, date of birth, telephone number and email address, even on which day and with which result the test was carried out, were freely accessible to everyone.

Eventus Media International operates the registration website in Germany for nine test centers in Hamburg, Berlin, Dortmund, Leipzig and Schwerte. There everyone can register for tests for Covid-19 at testcenter-corona.de and query the results of the test. All citizens who registered for an investigation using this site between the end of March and the beginning of April could be affected by the data leak. The focus is on two centers in Leipzig.

Corona vulnerability: data from over 17,000 people tested can be viewed by everyone

When registering for a test for the coronavirus, every visitor received a code so that they can later see their results. However, the security experts found on the website that over 17,000 of these codes were easily accessible to anyone. And with it the data of those registered as well as over 7000 test results. It cannot yet be ruled out that more were not affected.

According to one of the “research” experts, only basic knowledge of IT is required to view the data. A hit for criminals who commit identity theft. The experts reported the problem to the Federal Office for Information Security (BSI) and employees of NDR, RBB and MDR .

Corona test results and even registration data leaked

In a random sample, the reporters confirmed the vulnerability and stated that they could easily obtain the personal information of several people. Including, if available, the test results. Some of the registrations are less than an hour old, some several weeks. After the reporters asked the company about this, Eventus Media International closed the vulnerability last Tuesday.

A company spokesman apologized to those affected. The test centers were “pulled up in a great hurry” and it was “worked with experienced IT specialists”. The website operator also announced: “We will not leave it at that, but will subject our systems to a comprehensive security check together with a specialist company so that something like this does not happen again.”

Website operator has now fixed security vulnerabilities

The company is still in the process of getting an overview of the exact amounts of leaked data. The company spokesman said: “As far as we are currently aware, between 6000 and 7000 data records could have been compromised and unauthorized access or download as a result of this attack.” Eventus Media International is working on narrowing down the numbers and uncovering possible data misuse. The company would also like to inform all those affected.

Arne Schönbohm, President of the BSI, described the security gap as “serious”. According to him, the level of safety precautions at the test centers on Sars-CoV-2 has not yet been standardized. Unlike the digital infrastructure of the health system, which has a very high level of security. The BSI founded a special department for all security issues relating to the coronavirus.

Not the first data leak from private coronavirus test providers.

The Leipzig health department commissioned Eventus Media International for the coronavirus tests. However, this data leak is not an isolated incident. In March, “Zerforschung” in Berlin found security gaps at another private provider for tests for the coronavirus. There, the data of over 100,000 customers could be called up online.