Skip to main content

A secure reopening? Keeping vaccination passport data safe

Flatfile data
(Image credit: Flatfile)

Vaccine passports are being adopted across the globe to enable safe international travel. The UK is no exception. But, with question marks hanging over NHS Digital’s every move during the pandemic, it is evident there are still some security and privacy concerns that need addressing. 

Restrictions were fully lifted on the 19th of July, with a view to ease back to normality and set the UK economy on the road to recovery. For Brits to go on holiday, proof of vaccination is needed. Additionally, nightclubs and large events will, by law, need to ask people to demonstrate that they have had two doses of the vaccine, a negative test, or a recent recovery from the virus as a requirement of entry by late September.

Vaccine passports are set to become a regular fixture of life for the foreseeable then. But the reliance on QR codes, and cross-border differences in data regulations and laws, means they could present a good opportunity for cybercriminals and fraudsters.

Privacy concerns  

Throughout the pandemic, cybercriminals and other bad actors have taken advantage of Covid-19 fears, online deliveries, and vaccination appointments to trick people into handing over their data. The FBI reported a 300 percent increase in cyber-crime because of the pandemic. There will likely be new scams targeted towards vaccine passports too.  

The sheer amount of data of that is linked with vaccine passports – Covid-19 testing, track and trace data, personal details, health data – is a privacy concern in itself. For that reason, consumers should only let authorized security personnel scan their QR codes. Whilst at an airport these personnel will be easy to identify. But in the queue for a stadium or a concert, they may be harder to decipher. 

Data sovereignty indicates that personal information, including health data, is normally governed by regulations to protect the citizens of the region where the data is being stored. We see this with HIPAA in the US, and GDPR in the EU. However, regulations and compliance aren’t standardized across international borders. This muddled environment could present a big opportunity for cybercriminals.  

The focus of healthcare organizations and corresponding track and trace applications has been on stopping the spread of Covid-19. Cybersecurity has sometimes come second. Ireland’s public healthcare system recently shut down its major technology systems after it experienced a ransomware attack. The disruption affected hospitals and Covid-19 testing centers across the country. 

If this protected critical IT infrastructure can be hacked, what is to stop cybercriminals from targeting the NHS app or subsequent vaccine passport next?

How QR codes can be abused 

QR codes have been used within vaccine passports as they are a simple way to quickly check any information without coming into contact with another person. But systems that have simple functionality are often easily taken advantage of. As previously mentioned, hackers have spent lockdown exploring new ways to exploit consumers, so we can expect hackers to get even more creative with QR codes.

Governments and businesses see them as a quick and easy way to link people to websites, promotional campaigns, in-store discounts, medical records, mobile payments, and many more other uses. But QR codes don't tell you what they carry in advance. When you scan one, you can't tell what you're getting. You could just as easily initiate the download of malware onto your device as pull up a restaurant's menu. Additionally, they can easily be cloned so one vaccine pass could be used by two people.

Bad actors are increasingly creating QR codes and pasting them over menus or venue check-ins to initiate a malicious action. Sophisticated cyber-criminals wishing to access a business’ IT infrastructure can now have their malicious QR code easily scanned, just by pretending to enter an event. 

The growing threat associated with QR code usage was confirmed in a recent survey by Ivanti. Fifty-one percent expressed concerns over using QR codes but scan them anyway. One-third of respondents were unaware of QR code risks and didn’t recognize the need to protect their mobile devices. The risks are exacerbated by the fact that 49 percent of respondents in the study have no mobile security software in place.

Keeping businesses secure  

QR code security threats are certainly problematic. So, what can you do to protect yourself? Businesses like concert venues and stadiums can display QR codes in places that are easy to scan at a distance but difficult to physically alter, such as behind plexiglass at a counter. 

Because mobile devices are used for personal and business activities, it’s critical for both consumers and businesses to prioritize mobile security for their employees, whether the mobile device is company or employee-owned. A zero-trust security strategy should be implemented to continually verify each asset and transaction before permitting mobile device users to access the corporate network.

The work environment on employees' phones can be protected by using unified endpoint management (UEM)software, with managed threat defense (MTD) to detect and remediate threats. UEM keeps business applications and data separate from the personal and certifies that communications between the app and the analysis network are encrypted and authorized.

While vaccine passports appear to be a sensible and convenient approach towards restoring normalcy to European economies, QR codes clearly present a risk, both privately and corporately. Malicious code, brought in by employee mobile devices, can comprise an organization’s digital systems and data. MTD and UEM solutions provide peace of mind, with the assurance that mobile devices logging into business digital infrastructure are protected.

Nigel Seddon, VP of EMEA West, Ivanti (opens in new tab)