Due to a major leak at a company that takes corona tests, it was possible for anyone to get fake travel or admission tickets in the CoronaCheck app and to manipulate data. The company works for Testenvoorjereis.nl, which was created by the government.
After RTL Nieuws discovered the leak, the Ministry of Health, Welfare and Sport has stopped the connection to the company, so that it can no longer issue test certificates. The provider, Testcoronanu, has taken its website offline to close the leak.
Not only was it possible to create false evidence, but sensitive personal data of more than 60,000 people who had themselves tested at the provider have also been leaked.
QR code not in time for vacation
In a response, the ministry mainly regrets that people have been duped because they cannot request a QR code in the CoronaCheck app in time. Such a code is, for example, necessary to be able to go on holiday. The ministry is looking for a solution for these people.
Travelers who have an appointment with Testcoronanu can make a new appointment with another provider via testforjereis.nl.
Incidentally, there is no proof that anyone other than the RTL journalist has gained access to the system, VWS says.
Closed for the time being
The company has ten locations in the Netherlands and three in Belgium. Testing at the company is recommended by the government and subsidized with taxpayers’ money. On paper, the company met all requirements, but the vulnerability should have been demonstrated by a good ‘pen test’, in which ethical hackers test the security of a website, the ministry says. VWS is investigating how the leak could have arisen.
Testcoronanu says it regrets the occurrence of the data breach and that it has taken measures to limit the impact and repair the damage. Those involved will be informed about the leak.
The leak has been reported to the Dutch Data Protection Authority. All branches are closed for the time being. The company may not return to work until safety has been guaranteed.