Personal information of more than 243 million Brazilians was exposed for more than six months thanks to weakly encoded credentials stored in the source code of the Brazilian Ministry of Health’s website. The data leak exposed both living and deceased Brazilians’ medical records to possible unauthorized access. The incident was the second reported by Brazilian publication Estadão and among several others recently affecting South America’s largest nation’s healthcare system.
Sistema Único de Saúde data leak exposed patients’ medical records
For more than six months, personal data belonging to anyone registered with Sistema Único de Saúde (SUS), Brazil’s national health system, could be viewed.
The data leak exposed people’s full names, addresses, phone numbers, and full medical records of Brazilians that signed up for the government’s public-funded healthcare system.
Approximately 32 million medical records belonged to deceased Brazilians, given that the country’s population was 211 million in 2019.
The database login credentials were encoded using Base64 encoding, which could be easily decoded. Anybody could have viewed the website’s source code and the database credentials using the F12 keyboard shortcut or the “View Source Code” option from the browser’s menu.
Subsequently, the exposed database logins could have allowed anybody access to Brazilians’ medical records.
Just last month, Estadão also reported another data leak exposing more than 16 million Brazilian COVID-19 patients’ medical records. The breach occurred after an employee uploaded on GitHub a spreadsheet containing usernames, passwords, and the E-SUS-VE system access keys.
The data leak affected high-profile individuals, including Brazilian President Jair Bolsonaro and his family, state governors, and seven cabinet members diagnosed with COVID-19. Both mildly sick patients and those requiring hospitalization had their medical histories exposed in the data leak.
Another data leak on the e-SUS-Notifica system also exposed database login credentials through the source code. The online system allows Brazilians to register and receive the official government’s COVID-19 notifications. The data leak was discovered in June by the NGO Open Knowledge Brasil (OKBR). Technology firm Zello, formally MBA Mobi, developed the system and has earned more than $8.5 million from Brazil’s health ministry since 2017.
Exposing medical records puts millions at risk of cybercrime
Health records fetch a good price in the black market for containing large amounts of personal information. Cybercriminals could use the stolen medical records to blackmail patients and healthcare providers because of their sensitive nature.
The exposed medical records also put millions of Brazilians at risk of financial fraud, identity theft, and account takeovers. Threat actors could use personal details to create fake profiles for committing more crimes.
Worse, most hospitalized patients could be unaware of the data leak or unable to stop any fraudulent activities.
The recent data leaks occur when Brazil’s economy is ailing, and the country’s COVID-19 fatalities are the second-highest in the world.
Given the predictable pattern of Brazilian health systems’ data leaks, it seems that the affected systems were developed by a single developer with little cybersecurity knowledge. Besides, any amateur software developer knows that website’s code could be viewed from the browser and that Base64 encoding does not hide data from attackers.
Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, notes that such easily-preventable data leaks originate from the practice of hiring cheap system developers.
“While many organizations tend to outsource software development to the cheapest providers, eventually getting the corresponding quality and security of the code,” Kolochenko says. “Cybercriminals are perfectly aware of these amazing opportunities and effortlessly harvest the long-hanging fruits.”
He adds that the “consequential attacks are hard, if not impossible, to detect in a timely manner.” He advises organizations to invest in developers’ continuous cybersecurity training, consistently monitor the internet for leaked source code, and remember that “when external software development company provides a price that is too good to be true – it’s likely so.”
Robert Prigge, Jumio’s CEO, recommends that organizations vet third-parties to avoid similar security lapses.
“As the exposure was caused by a third-party developer, it is critical [that] government agencies and enterprises thoroughly vet their selected partners, especially those that handle and manage consumer data,” Prigge notes. “Even if enterprises have battened down the hatches on their own security, their efforts become meaningless if they do not ensure their vendors have done the same.”