Data that is put on the web can be made accessible and usable by anyone that has the privilege. The thing is, protecting the data to only be accessible by the ones privileged is difficult.
Hackers are always on the prowl, lurking in the shadows to seek and find vulnerabilities in systems. and domains to hack.
And this time, Brazil's Health Ministry's website has fallen as a victim by hackers.
It was reported that a hack attack managed to take down several of the ministry's systems down, including one with information about the national immunization program, and a second one used to issue digital vaccination certificates, the ministry said.
As a result of this, the COVID-19 vaccination data of millions of Brazil's citizens became unavailable. And this includes the COVID-19 digital vaccination certificate, which is available via the ConecteSUS app.
Brazil was even forced to temporarily halt its health requirements for travelers arriving to Brazil due to the attack.
According to a message left by the Lapsus$ Group, which claimed responsibility for the attack, some 50TB-worth of data has been extracted from the the ministry's systems and has been subsequently deleted.
"Contact us if you want the data returned", the message said, alongside contact details for the authors of the attack.
Later that day, the images and the messages by the ransomware gang were removed, but the websites remained unavailable.
"The Health Ministry reports that in the early hours of Friday it suffered an incident that temporarily compromised some of its systems [...] which are currently unavailable," it said in a statement.
The Institutional Security Office and the federal police were called in after the attack. According to the police, an investigation into the matter has been opened.
The ministry said it was working to restore its systems.
Health Minister Marcelo Queiroga told reporters that no data would be lost, insisting that the ministry is still holding all the information that was taken, copied and deleted during the hack.
He added that those responsible for the criminal act would be “exemplarily punished.”
It should be noted that while the government said that it is postponing its requirements for travelers for a week because data is not accessible following the attack, COVID-19 tracing forms for arriving airline passengers are still available on health regulator Anvisa's website, which was not targeted.
The incident follows a previous attack on the Brazilian Health Regulatory Agency (Anvisa) in September. The attack was focused on the healthcare declaration for travelers, compulsory for individuals entering Brazil via airports.
The attack happened soon after the cancellation of the World Cup qualifier match between Brazil and Argentina, whereby Anvisa interrupted the game after four Argentinian players were accused of breaking COVID-19 travel protocols.
The incident also happened after the Ministry of Health was facing increasing pressure on the Brazilian government to demand COVID-19 vaccination certificates from international travelers coming to Brazil, as a response to the rise of the omicron variant.
Before this incident, back in November 2020, personal and health information of more than 16 million Brazilian COVID-19 patients were leaked online after a hospital employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub.
Less than a week later, another major security incident emerged, where the personal information of more than 243 million Brazilians, including alive and deceased, was exposed online after web developers left the password for a crucial government database inside the source code of an official MoH website for at least six months.
Read: COVID-19 Vaccine Certificates For Indonesia's President Leaked To The Internet