Quote:This week, the Indiana Department of Health issued a notice that the state’s COVID-19 contact-tracing system had been exposed via a cloud misconfiguration, revealing names, emails, gender, ethnicity, race and dates of birth of more than 750,000 people.
 
The incident shows that COVID-19 data could be poised for abuse and misuse, according to experts, which is now being collected on millions of people across the globe. The question is whether it’s being adequately protected from threat actors. And it turns out, there might be some work to be done on the security front.
 
Meanwhile, COVID-19 vaccine fraud is also on the rise — demonstrating that the pandemic still offers a rich vein for cybercriminals of all stripes to mine.
 
When it comes to the contact-tracing incident, “We believe the risk to Hoosiers whose information was accessed is low,” State Health Commissioner Kris Box, M.D., said in a statement. “We do not collect Social-Security information as a part of our contact tracing program, and no medical information was obtained. We will provide appropriate protections for anyone impacted.”
 
Turns out the Indiana Department of Health was half correct; the threat was low. The company that accessed the information was a cybersecurity company named UpGuard, which found a misconfigured API sitting unsecured and visible to anyone on the internet. When UpGuard alerted Indiana officials, they didn’t seem to understand that UpGuard was trying to help, not abuse their data.