The state of Indiana is sending out notices of a data breach to 750,000 residents who were participating in the state’s official COVID-19 contact tracing system, informing them that some of their personal data may have been improperly accessed. The Indiana Department of Health representative informed the public that they got to learn about the incident on July 2, 2021, but believe that the risk is low as the entity that gained unauthorized access was actually a cybersecurity firm.
The information that was available on the accessed systems include the following:
What can’t have been possibly compromised is people’s Social Security numbers and any medical information or histories, as these aren’t stored in the COVID-19 contact tracing platform even if provided by the users during registration. Anyone who is confirmed to have been affected by this incident will receive a personal notification containing instructions on how to enroll for a cost-free credit monitoring service through Experian.
The weird part in the story is that the cybersecurity company accused of accessing the data without authorization is UpGuard, which responded to this news expressing their surprise with how the state of Indiana chooses to present the situation. As they say, the organization responsible for protecting the citizen data failed to secure their online-facing database, so the blunder was theirs. UpGuard states that they actually reported their finding to Indiana’s officials to help them secure the database from actually malicious access.
Moreover, UpGuard explains that they have wiped the copies they kept for security and reference and also signed a certificate of destruction. In any case, they were not planning to release that data to any other entity. The company finds the state’s stance weird and unfair towards their responsible disclosure, presenting them as infiltrators of public networks when the reality is, Indiana’s IT team left the database unprotected and publicly accessible.