Cybersecurity researcher Jeremiah Fowler has uncovered a non-password-protected database containing nearly 1.3 million records. The exposed data encompasses critical COVID-19 testing information, along with personally identifiable details, including the patient’s name, date of birth, and passport number.
The publicly exposed database contained an estimated 1.3 million records that included 118,441 certificates, 506,663 appointments, 660,173 testing samples, and a small number of internal application files.
The exposed certificates and other documents were all marked with the name and logo of Coronalab.eu. Although the website appears to be offline, Coronalab is owned by Microbe & Lab, an ISO-certified laboratory based in Amsterdam, Netherlands.
The exposed COVID test records contained each patient’s name, nationality, passport number, and test results, as well as the price, location, and type of test conducted. The database also contained thousands of QR codes and hundreds of.csv files that showed appointment details and many patients’ email addresses.
It is unknown how long the data was publicly exposed or if anyone else may have accessed the thousands of COVID-related records. It is also unclear if customers, patients, or the authorities have been notified of the data incident.
