‘NHS app could leave firms exposed to phishing threat’, warn experts

17 June 2020

UK security and privacy experts have expressed concerns about the national approach to developing the NHS Track and Trace app, because it could lead to enterprises seeing their data exploited.

The smartphone app, which alerts people if they have come into contact with an individual who has reported coronavirus symptoms, has been trialled on the Isle of Wight and is integral to the government’s “test, track and trace” strategy as the country eases out of lockdown.

However, the new app has been beset by privacy issues and developers are being questioned on areas such as data protection and security, because of the complexity of the technology. 

Russ Ernst, EVP, products and technology at Blancco, a provider of data erasure and mobile device diagnostics software, said the NHS and other contact tracing apps should raise some concerns for enterprises. “First, there is a large amount of personally identifiable information (PII) being processed by these apps and po-tentially transmitted through mobile devices — not only the information of the user of a spe- cific device but anyone that has been in close proximity with that user or device,” he told Networking+. “Secondly, the data collected by contact tracing apps is being saved centrally instead of leaving it on the mobile device itself. This means there is much more information that enterprises and federal agencies will have to be mindful of as they are collecting and analysing this information. This is going to require a different level of responsibility and compli- ance and therefore impact their data collection mechanisms and data retention policies.”

Ernst added that it is likely more individuals will request their “right of access” or “right to erasure” under the GDPR through this process but also after the pandemic clears.

“This crisis has also led to a general concern, for both enterprises and consumers, about the security of all the data that is being collected through these contact tracing apps,” he continued. “The heightened awareness about the amount of PII that is being collected through these apps, not only for an individual but everyone that individual has been in contact with over a certain period of time, has led to an increase in cyberattacks including phishing scams.”

Mollie MacDougall, threat intelligence manager at Cofense, a cybersecurity firm specialising in phishing prevention, also told Networking+ that the pandemic “sadly presents a new wave of opportunity, as evidenced by the explosion of coronavirus-themed phishing attacks over the last three months. “This example is particularly malicious and abhorrent, given that it plays on the NHS’ new contact-tracing app, which could potentially be rolled out to a huge percentage of the UK,” she said.

“This example of SMS phishing will almost certainly be the tip of the iceberg for threat actors abusing the contact tracing app narrative for malicious intent, and the targeting of enterprises and individuals using this theme will likely increase.”

MacDougall said that in early May, Cofense found phishing emails aimed at business, claiming that a colleague had passed away or fallen ill as a result of coronavirus, aiming to harvest users’ passwords and personal information through a malicious attachment. “This is one of several themes related to the pandemic,” she added. “Threat actors are willing to go to any psychological length to attract their victims, but it is important to exercise the utmost caution and restraint in the face of emotionally jarring emails or text messages. Be aware of the fact that phishing scams are abundant, and if something about a message seems off, remember that it very likely is.”

Health secretary Matt Hancock said the app would be available nationwide in May., before the date was moved back to June.

NHSX, the unit responsible for setting national policy and developing best practice for, data sharing and transparency, said the data will not be stored longer than 28 days and will be deleted after the app’s use is finished and the pandemic is over.