Where does the flaw come from? The company Francetest assured AFP on Wednesday that it had “requested the assistance of cybersecurity experts” after the revelation of a computer flaw making accessible hundreds of thousands of Covid test results carried out in pharmacies, and on which the Cnil launched an investigation.
The company specializing in the transfer of data from Covid tests carried out in pharmacies to the government platform SI-DEP indicates that it will carry out with these experts tests to assess the security of its servers.
What information has been leaked?
The flaw was revealed on Tuesday by Mediapart. According to the news site, the names, first names, dates of birth, addresses, phone numbers, Social Security numbers and e-mail addresses, as well as the test results of 700,000 people were available until Friday thanks to ” a password that can be found, in clear, in a file accessible to all ”on the Francetest site.
The site, based on the popular WordPress sites and blogging tool, lacked some very basic protections to deny access to the site tree, a relatively trivial neglect. It thus allowed the curious, without having any need for hacker techniques, to find personal data which were not intended for them.
The company said Wednesday to have informed the Cnil, French gendarme of personal data, which had announced the day before to AFP to have launched investigations, after an “anonymous report”. “To date, there is no evidence that suggests that personal information from patients or pharmacists has actually leaked,” continues Francetest.
For now, the flaw has indeed been reported by one person, but further investigation is needed to find out if others may have viewed or extracted patients’ personal information.
Francetest ensures that it has taken security measures
In its statement sent to AFP, Francetest assures that it “immediately took the necessary technical measures” to correct the flaw, as well as other general basic security measures, such as changing passwords and updating firewalls. “To date and at this time, Francetest has every reason to consider that this incident is technically closed”, continues the company, which says that information of pharmacists and patients affected by the flaw is “in progress”.
The Directorate General of Health (DGS) also sent an email to pharmacists on Sunday to remind them of the software approved and compatible with the SI-DEP, of which Francetest is not part.