[BreachExchange] Leak in Dutch coronavirus testing company allowed people to create fake coronavirus certificates

[Sophia Kingsbury]

https://www.brusselstimes.com/news/belgium-all-news/178099/leak-in-dutch-coronavirus-testing-company-allowed-people-to-create-fake-coronavirus-certificates/

A major leak at a Dutch test company, which also has locations in Belgium,
made it possible for anyone to get into the system to create fake negative
test certificates in the CoronaCheck app.

The leak at the company, Testcoronanu, resulted in the private data of more
than 60,000 people who had undergone a coronavirus test at one of the test
centres being leaked, according to an RTL Nieuws investigation.

“In Belgium, the company is not in the circuit of reimbursed tests. So
there are no free tests being undergone there, for example, before going on
a trip, meaning the impact, if any, will be very limited,” Liesbeth Van
Houdt, spokesperson for Karine Moykens, chair of the Interfederal Committee
on Testing and Tracing, told De Standaard.

She added that, up until now, there have been no reports of data leaks or
privacy breaches concerning Belgian citizens.

Testcoronanu has ten locations in the Netherlands and three in Belgium and
is affiliated with the initiative Testenvoorjereis.nl, through which the
Dutch government offers free testing to people who are getting tested
before travelling, which means it is also subsidised with taxpayers’ money.

The coronavirus database became available to the public, allowing people to
add their own negative test simply by entering two lines of coding with
information including a name and a date of birth in their browser to
automatically receive a valid negative CoronaCheck certificate without
having been tested, or to change positive test results to negative.

The testing company was later closed down by the Ministry of Public Health,
Welfare and Sport (VWS), meaning that no more tests or admission tickets
could be issued.

The company since put up a notice on its website stating: “Due to
unforeseen circumstances, all our venues will, unfortunately, be closed on
Sunday 18 July 2021,” however, on Monday, it was also not possible to make
a new booking.

It added that it requests all customers who have booked through
www.testenvoorjereis.nl to cancel their booking and make a new booking with
another test provider.

False coronavirus certificates are a direct danger to public health, as a
recent incident in the Netherlands during which hundreds of people got
infected with coronavirus in a nightclub showed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210719/ce93e77f/attachment.html>