A password leak exposed personal information of 16 million Brazilians who underwent tests for COVID-19, according to newspaper O Estado de S.Paolo. The exposed records included such information as individual taxpayer IDs, addresses, telephone numbers, and pre-existing medical conditions.
As per the newspaper, among the people affected by the breach are President of the Republic Jair Bolsonaro, ministers of the federal government and 17 state governors, including Minister of Health Eduardo Pazuello.
The leak was not the result of a cyber attack, but was caused by an employee of the Albert Einstein Hospital in the city of Sao Paolowho had free access to the Ministry of Health’s databases - E-SUS-VE and Sivep-Gripe that are used to store data on COVID-19 patients. The employee uploaded on his personal GitHub account a spreadsheet with usernames, passwords, and access keys to sensitive government systems to test a new implementation model, but then forgot to remove the file from the public page.
The spreadsheet was ultimately removed from GitHub, and government officials changed passwords and revoked access keys to ensure the systems are protected.