A critical flaw and until now remained under the radar is at the origin of the leak of the results of the covid tests of 1.4 million people in France. It was located in software used by the AP-HP.
The circumstances under which the medical data of 1.4 million French women and men tested for covid-19 found themselves exposed to hackers are becoming clearer. A week after the events, new information confirms that it is not an error of the Assistance publique-Hôpitaux de Paris (AP-HP), but a flaw exploited for malicious purposes.
This breach was confirmed by the American company Hitachi Vantara, in a relayed press release by journalist Valéry Marchive on Twitter on September 22, 2021. Hitachi Vantara designs the HCP Anywhere software, which the AP-HP teams use to operate Dispose, an internal tool for depositing and exchanging files between members of the AP-HP.
A secret flaw in software used by the AP-HP
The breach in question was a 0-day (or zero-day) vulnerability. These flaws are the most feared in computer security, because they relate to weaknesses that have not yet been documented. Clearly, they went under the radar, or if they were identified, they were not made public for various reasons – they can be kept for later, for example.
In his press release, Hitachi Vantara said he received a notification on September 13 ” one of his clients On a potential concern with HCP Anywhere. An investigation by the company’s engineering teams took place and, on September 16, it was then that “ a set of complex and discrete events that could potentially lead to a vulnerability if exploited by a malicious attacker “.
The next day, September 17, Hitachi Vantara was able to provide a first script to mitigate the effects of this vulnerability – companies with a contract with the group received a message at that time notifying them of the availability of the patch. A day later, September 18, a full patch was developed and it was notified to the customers of the group from September 19, according to standard procedures.
It turns out, however, that the AP-HP had been in the know for a longer time, reports Le Monde in a September 21 investigation. The National Information Systems Security Agency (Anssi), which acts as the state’s cyber-bodyguard and, as such, is called upon to support hospitals, reported on September 9 the traffic of this data on Mega, a web host located in New Zealand.
Negligence in the protection and management of data?
Beyond the role played by the 0-day flaw in this data leak, and the latency period of a few days that there was between the alert given to the AP-HP and the report made to Hitachi Vantara, the level of protection around Dispose raises questions, because of the sensitive nature and the extent of the data at stake. There is personal information, but also medical information of 1.4 million patients.
In particular, the French daily points to negligence in the way in which this data was protected and managed over time. Thus, the link which provided access to the data was protected only by a password. In addition, items collected in September 2020 remained in place for a year, with no regular data purging.
Theoretically, the access link should have become invalid after seven days and manual deletion of data should occur after each transfer. To this is added a question: were the technical precautions sufficient? For example, was the data encrypted when it was stored on Dispose, so as to be well protected, flaw on HCP Anywhere or not?
Several investigations are underway to clarify the remaining gray areas of the case: one, internally, from the AP-HP; another from the National Commission for Informatics and Liberties (Cnil). A final one was launched by the Paris prosecutor’s office, in an attempt to track down the person or persons responsible for this fraudulent access which was accompanied by an illicit extraction of data.
The people who are concerned by this incident must have already received an email from the AP-HP to explain to them what happened and to urge them to be cautious about possible future mails that would concern covid-19. Some of the data that was output included the patient’s identity, social security number, contact details, type of test, and result.