A potential security breach in the validation and reading of Belgium’s Covid Safe Tickets (CST) via the CovidScan application could affect over 39,000 people, says the Data Protection Authority (DPA).
Given the “particularly sensitive nature of health data,” the DPA stated that it is taking the potential leak very seriously in a press release.
“We issued a statement because some information was already in the public sphere but we are legally not allowed to comment on ongoing cases,” a DPA spokesperson told The Brussels Times.
A valid CST allows people to gain access to certain events, as it proves that the holder has been fully vaccinated, recently tested negative or recovered from the virus in the past six months.
Using a QR code, someone’s CST is read and validated directly through the CovidScan application. For those who are vaccinated, the app verifies that the vaccinated person did not recently test positive for the virus before validating the ticket.
This verification then happens via a coded list. During this phase of the CST scanning process, a potential security flaw was noticed by a citizen, says the DPA.
Sensitive data, such as health data, are a priority as their processing poses more risks to the rights and freedoms of individuals than the processing of so-called “regular” data, the DPA stressed.