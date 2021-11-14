The biologist and researcher Atila Iamarino reported, last Tuesday (9), that he had been the victim of a defacement of his data in ConectaSUS, the system responsible for issuing vaccination records and certificates in Brazil. In a Twitter post, he claims that his name and that of his mother, as well as nationality, have been changed in the official document that proves his immunization status.

This is yet another occurrence in a series of cases that have affected celebrities, politicians and ordinary citizens alike since at least June this year. Presenter Nyvi Estephan and content creator Felipe Castanhari were also victims, with profanity being added to their respective national health cards; at the time, YouTuber Felipe Neto also reported having been hit, with his SUS record being altered as if he had died.

Similar cases also occurred with Guilherme Boulos, Gleisi Hoffman and Manuela D’Ávila; in July, all reported that their records in the SUS were changed as if they were dead. Iamarino himself also said that his record was changed to death, but that the system made the correction when he was vaccinated. In the thread he opened on Twitter, there are also reports from ordinary citizens about drugs taken wrongly and even third-party covid exams being registered in their names.

I found out that my data on ConnectSUS was also hacked. They changed my name, my mother’s name and my nationality on the vaccination certificate, in an official document…@minsaude How do I feel with my data in the hands of those who do this? With my son’s data there? pic.twitter.com/C9LyGd3UOj — Atila Iamarino *vaccinated and on paternity leave (@oatila) November 9, 2021

The problem takes even more serious contours in this period of reopening. With the requirement of vaccination to access public events, for example, receipts with information improperly altered can result in a ban on entry, even if the change was made by a third party. In the case of records related to deaths, problems accumulate, which can lead to the cancellation of registrations, contracts and documents, for example.

In reply sent to the Canaltech, the Ministry of Health said it had identified the undue changes in the certificates pointed out by the report, stating that the change was made by an “accredited operator”, which has already been blocked. According to the statement, the cases are not related to servers in the folder itself, which works on corrections and also on preventing access to those responsible. Check the full:

The Ministry of Health informs that it has identified undue changes in the registration of the vaccination certificate against Covid-19 issued by the ConnectSUS application. The folder clarifies that the modification was not made by a ministry server, but by an accredited operator, which has already had its access to the system blocked. The guidance for people who have problems with the information entered in ConnectSUS is to look for the ombudsman, through the number 136. The ministry reinforces that it is working to restore records and block operators responsible for undue changes.

bad practices

In the view of Ricardo Tavares, director of the Gemina threat consultancy and a cybersecurity professor, problems like this are the result of inadequate development and monitoring practices. According to him, the adoption of measures such as database encryption, application firewalls and change monitoring would help to identify unauthorized changes or, in worse cases, even the mass extraction of information from citizens.

According to the Ministry of Health, improper registration changes in ConnectSUS were made by an accredited operator, who had their access to the system revoked (Image: Disclosure/Ministry of Health)

“Application vulnerabilities can be exploited by third parties when there is no development that is concerned with security or adopts practices to validate and correct flaws in the environment”, continues the expert. According to him, verification and analysis processes of this type would help to mitigate exploits of this category, making individuals and the system itself more secure.

On the other hand, what was seen was an exposure of data, albeit limited, which shows failures in the protection of information and directly undermines the rights of citizens. Even in the case of the government itself, Tavares points out, the sanctions provided for by the LGPD (General Data Protection Law) are valid. “[A lei] it can be applied to all public institutions, with the titleholder having the same rights as in private institutions, being able to request the due compensation in case of material or moral damage suffered”, he adds.

For citizens who identify problems or undue changes in their records on ConnectSUS, the Ministry of Health recommends seeking the ombudsman at number 136.