The personal information, including contact details and health records, of 243 million Brazilians could, until recently, be viewed by anyone with an Internet connection, as the credentials for a gigantic Ministry of Health database were stored inside the source code of a government website.
The gigantic exposure of the personal information of millions of Brazilians, the proof of whose access by unauthorised or malicious individuals is not confirmed yet, was discovered by reporters from Brazilian newspaper Estadao who decided to investigate the source code of government websites to check if they contained the login credentials for sensitive government databases.
According to ZDNet, the reporters initiated their investigation after Brazilian NGO Open Knowledge Brasil (OKBR), found that a government website stored the login credentials for another government database inside its source code.
The investigation led to the discovery of certainly the largest data leak suffered by the Brazilian government since the advent of the Internet. The reporters, not for the first time though, found the login credentials for a Ministry of Health database inside the source code of an official Brazilian Ministry of Health website.
The reporters discovered that the login credentials were associated with the official Ministry of Health database that stored the personal information, such as full names, addresses, phone numbers, and medical information, of 243 million Brazilians.
The database in question is the Sistema Único de Saúde (Unified Health System) which was set up in 1989 by the Brazilian Ministry of Health and is presently the world’s largest government-run public health care system, storing the details of virtually the entire Brazilian population.
Information stored in SUS is used by the Ministry of Health and other government departments to formulate health policies and policies regarding drugs, equipment, immunobiological, and other resources of interest for human health. The system also helps the government offer therapeutic and pharmaceutic assistance to citizens, carry out sanitation and health surveillance, and to formulate and execute the national policy for blood and its derivatives.
Commenting on the massive leak of the personal information of millions of Brazilians, which fortunately was discovered by journalists and not malicious actors, Ilia Kolochenko, the founder & CEO of ImmuniWeb, said many governments tend to outsource software development to the cheapest providers, resulting in sub-optimal quality and security of the code.
“Cybercriminals are perfectly aware of these amazing opportunities and effortlessly harvest the long-hanging fruits. Worse, such incidents and consequential attacks are hard, if not impossible, to detect in a timely manner.
“To prevent such incidents, organizations must do 3 simple things: invest into continuous security training for developers, continuously monitor Internet from leaked source code including resources such as Stack Overflow and not just Code Repositories, and keep in mind that when external software development company provides a price that is too good to be true – it’s likely so,” he added.