Arial view of a male and a female in lab coats analysing data at a pc in a lab

Covid-19 testing lab leaves private user data vulnerable

Research from consumer group Which? has revealed that a vulnerability in a French Covid-19 testing firm’s systems has put the data and privacy of UK travellers at risk.

Which? discovered that Biogroup had accidentally made data freely available because it hadn’t added password protection to its systems. Which? discovered the vulnerability by inputting the reference number of a Covid-19 test with one incorrect digit. Biogroup describes its west London “Megalab” as one of the UK’s largest Covid testing labs, from which it provides both PCR and lateral flow tests.

Nearly 6,000 records freely available

Due to the data breach, Which? could access the personal details of as many as 5,700 people who had used Biogroup. The visible data included the user’s names, home addresses, date of birth, and telephone numbers.

Having such data would make it easy relatively simple for cybercriminals to try and commit identity theft, so there is understandable concern about such a breach.

Why would a testing lab have so much sensitive data?

Firms providing “day two” Covid-19 tests are, by law, required to obtain a significant volume of data, including:

  • Ethnicity
  • Vaccination status
  • Passport numbers
  • Addresses
  • Telephone numbers

While this data breach is down to internal error, Covid testing labs are likely to be a hugely attractive target for cybercriminals knowing what data is available.

Are consumers at risk?

Which? said it warned Biogroup about the vulnerabilities twice in September. Biogroup said it had resolved the vulnerability and reported it to the Information Commissioner’s Office (ICO).

Responding to contact by Which?, Biogroup stated: “Biogroup has rectified the root cause of the incident and will continue to pressure test its software systems to ensure no issues exist in the future.

“No system is infallible, and we will continue to learn and improve ours through our customer engagement. This is our guarantee to our customers.”

In addition, Biogroup said it had conducted its own internal investigation and found no signs that the consumer data had been accessed by cybercriminals.

Breach adds to pandemic-driven cybersecurity concerns

The Biogroup breach adds to concerns around the cybersecurity landscape, or rather, the cybersecurity (or lack of!) deployed by businesses and public bodies.

While cybercriminals’ activity has undoubtedly increased during the Covid-19 pandemic as a means of taking advantage of vulnerable and unsuspecting people, the significant number of data breach incidents is as much down to poor cybersecurity processes and systems as it is criminal activity.

If you’ve been affected by the Biogroup, or any other, data breach, you may be entitled to compensation

If your personal details have been accessed or leaked because of a data breach, you could be entitled to compensation.

You don’t need to have suffered a financial loss or been a victim of attempted or successful identity theft or fraud to have grounds for a claim. The fact your privacy and data was put at risk is enough.

Contact LawPlus today if your privacy has been compromised by a data breach. We’ll conduct a free, no-obligation review of your case, and if you have grounds for a claim, you may instruct us to manage this on your behalf on a no-win, no-fee basis.