AbleToTrain by Willing & Able

Data leaked from the Brazilian Ministry of Health

The personal information of over 243 million Brazilians has been exposed for more than six months as a result of improperly coded accreditation data included in the source code of the Brazilian Ministry of Health’s website. The leak exposed the medical records of both living and deceased Brazilians to the possibility of unauthorized access. The event, the second reported by the Brazilian newspaper Estado, is one of several splinters that have recently damaged South America’s largest health-care system.

Personal data from everyone registered with the Sistema Nacional de Sade (SUS), Brazil’s national health system, could have been read for more than six months. The leak exposed the names, addresses, phone numbers, and medical information of Brazilians participating in the government-funded health-care system.

32 million medical records in Brazil

Given that the country’s population was 211 million in 2019, about 32 million medical records belonged to deceased Brazilians.

The Base64 encoding was used to encrypt database connection data, which was easily deciphered. Using the F12 keyboard shortcut or the “Examine Source Code” option in the browser menu, anyone may view the website’s source code and database credentials.

Last month, Estado reported another data hack, revealing over 16 million medical records of Brazilian patients with COVID-19. The infraction happened after an employee uploaded to GitHub a spreadsheet including usernames, passwords, and E-SUS-VE system access credentials.

High-profile individuals affected by the data leak included Brazilian President Jair Bolsonaro and his family, state governors, and seven cabinet members diagnosed with COVID-19. The disclosure exposed the medical histories of both mildly unwell patients and those who needed hospitalization.

Another data leak from the “e-SUS-Notifica” system exposed the database credentials via the source code. Brazilians can use the web portal to register for and receive government COVID-19 alerts.

Open Knowledge Brazilia (OKBR)

The NGO Open Knowledge Brazil uncovered the data leak in June (OKBR). The system was designed by the technology firm Zello, the official MBA Mobi, and earned more than $8.5 million from the Brazilian Ministry of Health in 2017. Exposing medical records exposes millions of people to cybercrime.

Medical records are valuable on the black market because they contain a lot of personal information. Because medical records are so sensitive, cybercriminals may use them to blackmail patients and healthcare practitioners.

Brazilian population at risk

Millions of Brazilians are also at risk of financial fraud, identity theft, and embezzlement as a result of the medical records on display. Potential attackers could utilize personal information to construct bogus profiles and perpetrate multiple crimes. Worse, most hospitalized patients may be unaware of the data leak or may be unable to prevent fraudulent activity. Recent data leaks have occurred at a time when Brazil’s economy is suffering and the country’s COVID-19 causes the second highest number of deaths in the world.

Given the expected pattern of data leaks in Brazilian health systems, the affected systems appear to have been designed by a single developer with limited knowledge of cyber security. Furthermore, any inexperienced software developer is aware that the website code can be inspected by the browser and that Base64 encryption does not conceal attacker data.

Future solutions

According to Ilia Kolochenko, founder and CEO of web security firm ImmuniWeb, such easy-to-avoid data leaks are caused by the practice of hiring cheap system developers.

“While many firms tend to outsource software development to the cheapest providers, achieving sufficient code quality and security is ultimately a challenge,” adds Kolochenko. “Cybercriminals are well aware of these incredible prospects and easily reap the benefits.”

“The ensuing attacks are difficult, if not impossible, to detect in a timely manner,” he continued. He recommends firms to engage in ongoing cybersecurity developer training, to constantly watch the Internet for source code, and to remember that “when an external software development company promises too good a price to be true-it definitely is.”

Jumio’s CEO, Robert Prigge, advises businesses to examine third-party vendors to avoid similar security breaches. Because the exposure was caused by a third-party developer, says Prigge, “it is critical that government organizations and enterprises properly vet their selected partners, particularly those who manage consumer data.”