Vaccination certificate platform under fire - proceedings initiated
The Federal Data Protection Commissioner has opened proceedings against the operator of the www.meineimpfungen.ch platform. He considers the data protection violations claimed by the online magazine "Republik" to be plausible. The foundation has been ordered to take the platform offline until further notice.
After the Federal Data Protection and Information Commissioner (FDPIC) was informed on 21 March 2021 by the online magazine "Republik" about its clarifications regarding possible data protection violations of the vaccination platform www.meineimpfungen.ch (digital vaccination certificate), it has summarily examined the allegations made by the medium and the information available to it. After consultation with the National Cyber Security Centre (NCSC), it was concluded that the reported breaches were plausible, the FDPIC reports.
Particularly sensitive personal data concerned
The purpose of the meineimpfungen foundation is to operate the electronic vaccination dossier on an electronic platform and to make it known and disseminate it among the population.
The FDPIC has currently put a stop to this: On 22 March 2021, the top data protection official initiated and opened a clarification of the facts pursuant to Article 29 of the Federal Data Protection Act (FADP) against the foundation, which is based in Gümligen, Bern. In addition, the data protection commissioner writes, efforts were made to immediately stop the processing of data that had been reported as inadequate. The reason: the data processing of the vaccination platform was likely to violate the personal rights of a large number of people, especially as in this case it was personal data relating to health that was particularly worthy of protection.
Those responsible at the foundation are now being called upon to comment very quickly to the FDPIC on the accusations made and the complaint made by "Republic". In addition, information is expected on any loss of data.
What does the foundation say?
Due to the ongoing proceedings, the FDPIC does not wish to comment further on the case at present. According to "Republik", it is unclear whether cybercriminals have exploited the security vulnerabilities and siphoned off sensitive data from the platform. What does the foundation say about the allegations? On www.meineimpfungen.ch it only says "Sorry, urgent maintenance is required. We apologize for the inconvenience and will do our best to shorten the duration." Later, the platform says: "To maintain data security, the operation of the meineimpfungen.ch platform is temporarily interrupted."
In an initial statement, the organisation writes: "The meineimpfungen foundation was made aware of vulnerabilities in the online platform by specialists on Sunday, 21 March 2021. The vulnerabilities primarily relate to the possibility of unauthorised registration as a specialist. The majority of the technical vulnerabilities were already remedied in the early morning of Monday, 22 March 2021. For security purposes, we have suspended operation of the platform until a full analysis has been completed."
Harsh criticism from consumer protection
The foundation meineimpfungen was commissioned by the Confederation to issue an electronic Covid vaccination passport. This procedure was criticised from the outset, emphasises the consumer protection organisation. The data leak - 450,000 users were exposed - shows that the criticism was justified.
Sara Stalder, Executive Director of Consumer Protection, demands: "The activity of meineimfpungen must be stopped immediately and permanently. Also immediately must be stopped with the advertising of this electronic vaccination dossier at the Covid vaccination registration process and also on site in the vaccination centers." He continued, "What is also required is for the legislature to establish strict baselines for a secure solution. Data privacy must be 100 percent guaranteed. We are talking about very sensitive personal data that is worth protecting."
