What follows is a guest post by our technology correspondent. He’s pretty unimpressed by the NHS’s vaccine booking site, following news of various data breaches that have hit the headlines in the past 24 hours. Incidentally, he’s right about you being able to find out anyone’s vaccine status if you enter a few of their details on to the booking site. I was able to find out my sister’s status within two minutes.
The Guardian and Telegraph report that the NHS’s covid vaccine booking site has a “glitch” which reveals people’s vaccine status. That’s a big problem, as the Guardian points out, because it leaves all of us in the U.K. open to coercion, bullying and scams whether you have had the vaccine or not.
It is also not a “glitch” as the Telegraph describes it. The Guardian is closer with “seriously shocking failure”. To be clear, this is not an unintended bug introduced by a hapless programmer that occurs in obscure situations. It is a design flaw that shows the people responsible for your most private data do not understand the absolute basics of online privacy and security.
So, what is the problem? Essentially, if you know a little bit about a person: their name, date of birth and postcode, when if you enter that into the site it takes you to one of three different screens depending on whether you have had zero, one or two jabs. If you see a test centre finder, the person has had no jabs. If you see a request for a reference number, they have had one jab. If you see a screen saying you have had both of your appointments, then they have had two jabs. So, there you have it, the entire nation’s vaccine status available to anyone who cares to do a bit of online digging. I just tried it for some people I know, and I now know their vaccine status. There is no attempt to check that you are who you say you are. Not even the most basic authentication. It is a completely open database of the entire nation’s vaccine status. Even worse, it is still online now, more than 24 hours after the scandal broke in the press and the NHS being contacted by the regulator.
To recap, this is extremely private data, about every person in the UK, and it is openly available to everyone in the world. The site has not been taken down, even temporarily. It is equivalent to the Government providing a website that tells you if someone is overdrawn at their bank or not. But this is arguably more private than that data. This is why privacy is so important. This is why we should be so reluctant to give our data to people who cannot look after it, such as NHS Digital. The riposte of “if you haven’t done anything wrong then you have nothing to fear” doesn’t work. None of us have done anything wrong, but because NHS Digital has screwed up, we are all now vulnerable to scammers, fraudster and criminals, and there is nothing we can do about it.
The response from NHS Digital is as shocking as their ignorance of online security: “people should not be fraudulently using the service”. Is that a joke? Is that what passes for security, asking fraudsters not to access the site? The NDG – National Data Guardian for Health and Social Care – is not much better and apparently toothless: “The NDG has contacted the organisations which run the website to ensure that they are aware of the concerns that have been raised and will discuss with them the twin important aims of protecting confidentiality whilst maintaining easy access to vaccinations for the public.”
Ensure they are aware of concerns? They should be demanding that the site is immediately taken down and prosecuting NHS Digital management. This is a disgrace and a national embarrassment. Serious action needs to be taken immediately.
Profanity and abuse will be removed and may lead to a permanent ban.