Quebec Vaccine Passport QR Codes Pwned

Vaccine passports are going to be one of a number of tools that will allow us to move back to some degree of normalcy. And the Province of Quebec was the first to implement a QR code based vaccine passport. And even before it’s been launched, it’s been pwned by hackers. Ironically, politicians are the ones that have been pwned:

The Health Department said in a statement it was aware of reports that people had managed to steal the QR codes of members of the Quebec legislature and said police complaints had been filed.

The statement came after Le Journal de Montreal and Radio-Canada reported that hackers had been able to obtain the codes of prominent politicians – including Premier Francois Legault and Health Minister Christian Dube.

The quick response codes are scannable codes containing a person’s name, date of birth and information about the vaccinations they have received. They are the central feature of the government’s vaccine passport system, which will be required as of Sept. 1 to visit businesses the provincial government deems non-essential, such as bars, clubs and restaurants.

Ouch. That’s going to affect the usage of this vaccine passport system. David Masson, Director of Enterprise Security of Darktrace had this to say:  

In the case of the Quebec vaccine QR breach, while the hackers didn’t hack the vaccine QR codes themselves, they were able to download the codes of QC residents via an entry point on the Quebec Government website portal. This hack is a reminder that data repositories used in apps and websites, like the Quebec Vaccine Passport, must be protected. 

While we don’t know exactly how the attackers were able to compromise the government portal, their ability to gain access means that a vulnerability existed in the system that developers missed before the launch. While the Quebec Government will certainly patch this vulnerability, incidents like this further reduce confidence in apps. A lack of trust in security may become a barrier to uptake in use. The Quebec Government needs to be transparent about this hack and its steps for remediation to build back trust with citizens.

Cyber attackers are constantly innovating, and defenders must rely on advanced cybersecurity technologies to stay ahead of these malicious actors. Complex systems require complex security. With attacks moving faster than humans can think, much less respond, tools like self-learning AI are a force multiplier in detecting and responding to cyber threats. That is why more organizations and public institutions in Quebec and across Canada are turning to self-learning AI to augment their human security teams and stop attacks in real-time – before the damage is done.

Hopefully, Quebec does whatever is required to make this vaccine passport secure before it launches in September.

One Response to “Quebec Vaccine Passport QR Codes Pwned”

  1. […] It simply validates the QR code and doesn’t appear to give away any personal information. Which is a good thing as Quebec had that issue recently. […]

Leave a Reply

%d bloggers like this: