The Federal Data Protection and Information Commissioner (DPIC) in Switzerland is probing a possible data security breach by a website that allows people to voluntarily upload an electronic version of their vaccination record.
The action against Foundation Mesvaccins follows an investigation by online magazine Republik.ch which reported vaccination data for 450,000, including 240,000 people vaccinated against Covid-19, were openly accessible and vulnerable to manipulation.
The free service allows people to create an electronic version of their paper vaccination record to ensure they are kept up to date.
However, it has now emerged that it was possible for unauthorised people to bypass checks intended to ensure only registered doctors or pharmacists could access the information in the vaccination records.
A DPIC statement said the commissioner considers the data protection violations “plausible”.
The statement said: “Those responsible at the foundation are now requested to respond to the commissioner very quickly on the allegations raised…in addition, the agent expects information about any data loss.”
Foundation Mesvaccins said it has been made aware of weaknesses in the website with possible unauthorised registration.
It added: “The registration of specialists was always carried out only after a manual check. This check ensured that only doctors or pharmacists trained in the field of vaccinations were given access.
“However, it has now became apparent that it was possible to circumvent this manual check with certain tricks.
“The security of the mesvaccins.ch platform is our top priority. We are therefore always grateful when we are informed directly about weak points. On the technical side, the reported weaknesses were fixed immediately.”
The Foundation is now analysing the vulnerabilities’ effects to determine if falsified vaccination cards or user accounts have been created.
The service – which is offered in French, German, Italian and English – will be offline while that work is carried out. “At the present time, we assume that the identified vulnerabilities were not misused and therefore did not result in any real risk to the protection of users’ data,” the Foundation added.
Register for free to receive the latest data protection and privacy news and analysis straight to your inbox