Government Source Code Leaks Compromise the Personal Data of Millions
It’s not always security researchers who uncover major data breaches or security mishaps. Reporters from a Brazilian publication have been very good lately at detecting unfortunate incidents generated by official government websites or careless government employees.
It appears that for about six months, a database which has been gathering personal information for about 30 years, and which currently contains the confidential details of over 243 million Brazilians, has been publicly available online, ZDNet reported last week. Full names and addresses, phone numbers and medical information of people both dead and alive was left online for anyone to access. This problem is the result of developers forgetting to delete the database password from the source code of an official government website.
As if this incident wasn’t enough of a compromise to worry Brazilians these days, the same investigative journalists found that the personal and health information of over 16 million people tested for COVID-19 at a hospital in Sao Paulo had been leaked a week before. Brazil’s President Jair Bolsonaro and other prominent leaders in the country were also tested at the facility, which means their personal information was among the data compromised. This time, at fault was a spreadsheet containing usernames and passwords published by hospital staff on GitHub.
Can cybersecurity and data protection laws save the day?
The common denominator to blame in this story are the multiple official websites which have compromised residents’ personal, medical, tax and voting information by exposing critical passwords or API keys in their source code. Most worrying is that these two cases are not unique. Yet another site, for instance, kept usernames and passwords in an encoding format which could easily be tampered with, ZDNet explains. Even though the passwords have now been deleted from the source code, who knows how many malicious actors have already downloaded the data?
With a population of over 200 million, Brazil is one of the largest countries in the world. The repeated negligence and security incidents, which are not even the result of a criminal mastermind, can’t help but raise concerns about the lack of general interest in securing its citizens’ personal data.
Fortunately, we have not heard of the same issues in Canada, or in Quebec specifically. There have been news reports of the provincial government losing control of the personal information of its teachers and of the federal government mishandling the personal information of 144,000 citizens and employees, but nothing comes close to the issues seen in Brazil.
Brazil’s data protection law LGPD (Lei Geral de Proteção de Dados) has come into effect this year, two years after it was first published. Although the country already had some 40 different laws and regulations, this may have only been on paper, given the aforementioned events.
Similar to GDPR in the European Union, which appears to have inspired it, LGPD is a far-reaching framework that addresses businesses of all shapes and sizes and their methods of collecting and processing personal information. Even though it is not as strict as GDPR and its fines are not as hefty, it protects both personal and sensitive data that may lead to discrimination, and it involves overwhelming compliance efforts from companies doing business with Brazil.
What does this mean for the government, considering its websites and employees have been negligent in processing and securing personal data? Will the national data protection authority take measures to set an example? While this may be a topic worth deliberating with privacy experts or lawyers, in terms of cybersecurity, a complete review of government infrastructure to prevent leaks and unauthorized access would be a great start to show citizens that these matters are taken seriously.