Dutch Coronalab.eu data leak exposes 1.3 million COVID test records

Cybersecurity researcher Jeremiah Fowler uncovered an unprotected database containing approximately 1.3 million records of COVID-19 testing data associated with Coronalab.eu, a website owned by Microbe & Lab, a laboratory in Amsterdam and a major commercial test provider in the Netherlands.

The database contains personal details of patients like:

• names,
• birth dates,
• passport numbers.
• test results,
• test prices,
• test locations,
• QR codes
• CSV files detailing appointments
• patients' email addresses.

The database held around 118,441 certificates, 506,663 appointments, and 660,173 testing samples, along with some internal application files.

Despite Fowler's efforts to responsibly disclose this breach through multiple notices and phone calls, he received no response, and the database remained accessible for about three weeks. It was only after he contacted the cloud hosting provider that the database was secured.