The target: Portpass, a private proof-of-vaccination mobile application.
The take: Exposure of potentially 650,000 records of personally identifiable information including: email addresses, names, blood types, phone numbers, birthdays, and driver's licences
The attack vector: Portpass stored user profiles on their website, accessible to the public, which exposed the above information to anyone visiting the site. This data not encrypted and was stored as plain text.
Use of industry standard authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ robust practices of credential management, user authentication and validation, around all points of access, especially public facing ones, in a firm’s IT network. This breach also highlights the important of encryption as a method to improve the security of stored data, which can still protect the exposed information.