Brazilian Ministry of Health website hacked, vaccination information stolen and deleted
Brazil’s health ministry said its website was hacked, dismantling several systems, including one containing information about the national immunization program and another used to issue digital immunization certificates.
- Suspected hackers call themselves Lapsus $ Group
- Deputy Health Minister Rodrigo Cruz says it’s too early to say if data can be recovered
- Quarantine requirements for unvaccinated travelers have been postponed
The government has postponed for a week the implementation of new health requirements for travelers arriving in Brazil due to the attack.
“The Ministry of Health reports that in the early hours of Friday, it suffered an incident that temporarily compromised some of its systems … which are currently unavailable,” he said in a statement Friday.
Police said they were investigating the attack.
The suspected hackers, calling themselves Lapsus $ Group, posted a message on the website saying internal data had been copied and deleted.
“Contact us if you want to recover the data,” he said, in an apparent ransomware attack.
The message, which included email and Telegram contact information, had been deleted on Friday afternoon, but the webpage was still down.
User data in the ConectSUS app that provides Brazilians with vaccination certificates was gone.
The ministry said it was working on restoring its systems.
At a press conference on Friday evening, Deputy Health Minister Rodrigo Cruz said access to immunization data had not been recovered.
Mr Cruz said it was too early to say if the data had been lost.
Under measures decided on Tuesday after President Jair Bolsonaro opposed the use of a vaccine passport, unvaccinated travelers arriving in Brazil will have to quarantine themselves for five days and be tested for COVID- 19.
The requirement was due to start on Saturday, but the government said it would be postponed for a week because immunization data was not available online after the attack.
COVID-19 tracing forms for arriving air passengers were still available on health regulator Anvisa’s website, which was not targeted.