Covid-19 test results viewable without authentication
A Covid-19 test center was fined after sending unencrypted emails with URLs to affected individuals. The URLs allowed access to test results with no further authentication required. In some cases, the URLs were structured in such a way that PDF files were downloaded which contained the last name of the tested person in the file name. If in addition the directory path was known, even test results could be viewed by third parties.
Art des Verstoßes:
inadequate data protection
Waren sensible Daten betroffen?:
Violation of GDPR Paragraph:
32. Security of processing