UK vaccine passport app could become ‘honeypot’ for hackers, says former top government cyber adviser

A potential UK vaccine passport is in danger of becoming a “honeypot” for hackers, rogue states and cyber criminal organisations, according to one of the government’s former top cyber security advisers.

Peter Yapp, ex-deputy director of GCHQ’s National Cyber Security Centre (NCSC), told City A.M. that a vaccine passport app could be an easy target for cyber criminals if all users’ data is kept in one centralised database.

Cabinet Office minister Michael Gove is leading a review into whether the government will roll out a Covid vaccine certificate, which could see pubs and restaurants turn away patrons if they haven’t had a jab or a recent negative test.

The Times reported yesterday that NHSX has already begun developing the app in anticipation of getting the green light from Gove.

Yapp, who left the NCSC in 2019, said criminal gangs would easily target the app if all data was kept in one centralised database.

He said that any app should keep data localised, like the Test and Trace app, so it is tied to individuals’ phones and should not include sensitive information like people’s date of birth or NHS number.

“Centralised databases means you’re putting a lot of data in one place so it becomes an attractive target for hackers and the like so it’s like a honeypot – it attracts people in and they’re going to have a go because there is so much data,” he said.

Before the Open newsletter: Start your day with the City View podcast and key market data

“It’s not viable to try and access everyone’s phones individually, but if you go to one central place to get millions of records it is a honeypot.

“To make a centralised database that is accessible and really secure is difficult and it’s difficult to do that in short period of time.”

Yapp said professional hackers would be able to use information stolen from the app to easily defraud people or scam the government.

He also said rogue states like Iran or North Korea “who are sanctioned and therefore are looking at ways to generate money” could target the app.

Yapp said: “Either it’s about finding out embarrassing things about people and then using that information to extort money from them or it’s about getting personal details out like date of birth and perhaps address, and then you can use that to extract money from banks or online shops or get things delivered to different addresses and divert the updates to the pin for your new card or any of those things.

“It might be limited private data, but if there’s a lot of it about in a central database then plundering that and then matching it with other data that is already out there, perhaps from social media posts, you can start to put enough together in order to fool an organisation somewhere to fool government to make payments to extract money.”

The government’s review into vaccine passports has rankled some Tory backbenchers, with lockdown-sceptic and libertarian MPs against the idea.

Steve Baker, deputy leader of the Covid Recovery Group (CRG) of Conservative MPs, said vaccine passports would prove a “magnet for fraud”.

“As a software engineer, I know all software has bugs. Bugs create security vulnerabilities, that’s why it’s a terrible idea to gather together so much data of such importance in one place,” he told City A.M.

“This is one more nail in the coffin in the idea of Covid certification.”

Former Cabinet minister David Davis added that “as soon as you’ve got access to a national health database you’ve created a database for hackers”.

“The Pentagon got hacked, Microsoft got hacked, Talktalk got hacked. You just can’t stop them. It doesn’t matter — however you do it, they’ll find a way of spoofing the system and getting 60m records. All sorts of markets might buy it — drugs companies, you name it. It is very dangerous” he told City A.M.

However, public appetite for vaccine passports appears to be growing ahead of the reopening of hospitality venues on 12 April.

A survey by polling firm Ipsos Mori published this afternoon found that 62 per cent of respondents were in favour of vaccine passports to enter pubs, bars and restaurants.

More than one-in-five people thought the ethical and legal concerns around vaccine passports outweighed the potential benefits, with around half of Brits surveyed saying they could lead to inequalities.

Boris Johnson indicated last week that it could be up to businesses to police the use of vaccine passports, with speculation that venues who implement them may not have to follow social distancing restrictions.

Hospitality and retail bosses have expressed concerns that the use of digital Covid certifications for entry to venues could face “legal challenges” and create enforcement problems for businesses.

Speaking at a webinar hosted by the CBI this afternoon, UKHospitality chief Kate Nicholls said vaccine passports posed “quite a challenging issue for a lot of people to wrestle with”.

“If you are in a consumer environment, you have legal concerns regarding age, ethnicity, gender, and I don’t think considering a valid test alongside a vaccine certificate is enough,” she said.

Desmond Swayne, Tory MP for New Forest West and fellow CRG member, told City A.M. vaccine passports represented “the thin end of a very thick wedge”.

Commenting on Yapp’s concerns over their potential security risks, Swayne said: “This takes us back to the debates of the early 2000’s when Labour sought to introduce ID cards, because that is exactly what the ‘passports’ will become.”

A government spokesperson said: “The government will review whether Covid-status certification could play a role in reopening our economy, reducing restrictions on social contact and improving safety. 

“The Government will also consider the ethical, equalities, privacy, legal and operational aspects of this approach and what limits, if any, should be placed on organisations using certification.”