Info on NHS Coronavirus app leaks out via Google Drive snafu

Careless share settings leak sensitive app roadmap

Graham Cluley @gcluley

Info on NHS Coronavirus app leaks out via Google Drive

Wired reports that sensitive documents about the UK’s Coronavirus-tracing app have been carelessly leaked via a publicly accessible Google Drive link.

According to the report, the leaked roadmap of NHS’s controversial Covid-19 tracing app reveals that it could soon show users’ health “status” and ask individuals to share their precise location data:

One document titled ‘Product Direction: Release One’ and marked as ‘OFFICIAL – SENSITIVE’, includes a series of slides showing the app’s future development roadmap. The documents also reveal that officials within the NHS and Department of Health and Social Care are worried that the app’s reliance on unverified diagnoses could be open to abuse and lead to “public panic” that puts extra pressure on the health service.

The documents, which are hosted in Google Drive, were inadvertently left open for anyone with a link to view. Links to the documents were included in others published by the NHS covering the privacy protections in the contact tracing app. Other documents linked to in the document could not be accessed without approval.

There’s significant concern already about how data collected by the UK’s controversial “centralised” app will be secured. One hopes that this easily-avoidable goof isn’t a sign of things to come.

Someone working on the project might want to remind themselves of how you can share files on Google Drive with specific people, rather than with any old Tom, Dick, or Harry.

The UK’s Coronavirus tracing app is being headed up by Dido Harding, who you may recall was the CEO during TalkTalk’s disastrous data breach.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “Info on NHS Coronavirus app leaks out via Google Drive snafu”

  1. Oh boy! Can't wait to get this app, specially with Dido Harding heading it up. Gotta be safe as houses. Yeah, right!

  2. I just got this on FaceBook – https://pesacheck.org/false-data-from-leaked-email-and-password-databases-belonging-to-the-who-is-not-from-a-new-hack-184bb21d97de

    Apparently, the emails etc. are from a 2016 hack.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.