Midwestern state in data leak drama

security researchersSecurity researchers deny inappropriate access to Indiana Covid-19 survey data

UPDATED A security vendor has disputed claims that it improperly accessed personal data collected through the US state of Indiana’s Covid-19 contact tracing survey.

In a statement issued on Tuesday (August 17), the Indiana Department of Health said it was notifying nearly 750,000 citizens that data to the survey was “improperly accessed”.

The exposed information included name, address, email, gender, ethnicity, and date of birth, but it did not include medical information or sensitive financial information, according to state officials.

Read more of the latest data leak news

“We believe the risk to Hoosiers whose information was accessed is low,” said State Health Commissioner Kris Box.

“We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained.”

Box added: “We will provide appropriate protections for anyone impacted.”

Publicly accessible

Citizens are being offered a year’s complimentary credit monitoring services, while techies in Indiana have corrected a “software configuration issue” that resulted in the inadvertent data leak.

Although not named in its official statement, a spokesperson for Indiana told the Associated Press that cybersecurity firm UpGuard was responsible for the “inappropriate access”.

RELATED Snake oil Covid-19 treatment sites seized by US authorities

UpGuard criticized Indiana’s statement, telling the AP that the data was left publicly accessible on the internet.

The Daily Swig approached Indiana for comment on the exact cause of the breach, as well as its response to UpGuard’s version of events.

In response, a spokesperson for Indiana confirmed that UpGuard was the firm involved, adding "we stand by the statements in our release".

UpGuard told The Daily Swig that the "data was exposed via an api configured to allow anonymous access".

More specifically Indiana's Covid tracing site had APIs that had been configured to allow anonymous access to the data, a security flaw UpGuard had reported to Indiana.

UpGuard denied it had “improperly accessed” the data as well as any suggestion that UpGuard performed this action to seek business from Indiana.

"The system was misconfigured by the State of Indiana such that anonymous users were authorized to access the data," an UpGuard spokesperson explained. "UpGuard did not exceed our authorized access, and while the data should not have been public, the nature of the data could only be ascertained by downloading and analyzing it."

This story was updated to add follow up comment from Indiana and Upguard

RELATED Florida woman ‘damaged computers, deleted crucial business data’ after she was fired