It took a flaw in an Irish government website that exposed Covid-19 vaccination records to be publicly revealed.

The Irish government patched a security flaw two years ago in the national Covid-19 vaccination portal, which exposed the vaccination records of about one million residents. But the details of the vulnerability were not revealed until this week, after attempts to coordinate public disclosure with the government agency stopped and ended.

Security researcher Aaron Costello said he discovered the vulnerability in the Covid-19 vaccination portal run by the Irish Health Service Executive (HSE) in December 2021, a year after mass Covid-19 vaccinations began in Ireland.

Costello, who has Deep experience in securing Salesforce systemsHe now works as a Principal Security Engineer at AppOmni, a security startup with a business interest in securing cloud systems.

In a blog post shared with TechCrunch before publication, Costello said a vulnerability in the vaccination portal – built on Salesforce’s health cloud – meant that any member of the public who registered for the HSE vaccination portal had access to another registered user’s health information.

Costello said vaccine administration records for more than a million Irish residents were accessible to everyone else, including full names, vaccination details (including reasons for giving or refusing vaccines), and type of vaccination, among other types of data. It was also found that internal HSE documents can be accessed by any user through the portal.

“Fortunately, the ability to see the details of everyone’s vaccination administration was not immediately apparent to casual users who were using the portal as intended,” Costello wrote.

The good news is that no one other than Costello discovered the error, and the HSE kept detailed access logs showing that “there was no unauthorized access or viewing of this data,” according to a statement provided to TechCrunch.

“We addressed the misconfiguration on the day we were alerted,” HSE spokeswoman Elizabeth Fraser said in a statement to TechCrunch when asked about the vulnerability.

A HSE spokesperson said: “The data accessed by this person was insufficient to identify any person without exposing additional data fields, and in these circumstances it was decided that a personal data breach report to the Data Protection Commission was not required.”

Ireland is subject to strict data protection laws under the EU General Data Protection Regulation (GDPR), which governs data protection and privacy rights across the EU.

Costello’s public disclosure marks more than two years since the vulnerability was first reported. His blog posts included a multi-year timeline revealing fluctuations between various government departments that were unwilling to demand public disclosure. He was eventually told that the government would not publicly reveal the error as if it had never existed.

Organizations are not obligated, even under GDPR, to disclose vulnerabilities that did not result in mass theft or access to sensitive data and fall outside the scope of the legal requirements for an actual data breach. However, security is often built on the knowledge of others, especially those who have experienced security incidents themselves. Sharing this knowledge can help prevent similar exposures in other organizations that may not be aware of it, and is why security researchers tend to lean toward public disclosure to prevent repeating mistakes that occurred last year.