We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

News.

When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

18 Jan 2022

Cheap Covid test firm leaks 'selfies', passport scans and addresses of customers

Hundreds of customers received an email warning their data had been exposed - including their Covid status

Another testing firm has failed to protect its users details - months after Which? Travel revealed a potential hole in the travel testing system's data protection.

Hundreds of customers of Alpha Express Testing received an email last week from a concerned customer, warning their data had been exposed.

The contacted travellers, legally obliged to book tests in order to enter the UK, were told: 'You recently used Alpha Express Testing for your day 2 Covid test to return to the UK. Alpha Express hasn't told you that they have been sharing all the details you gave them on an unencrypted, exposed URL.

'This includes your full name, home address, telephone number and an image of your passport and a selfie.'

Alpha Express Testing was one of the cheapest providers of day two lateral flow tests on the official government list. It was selling tests for just £9.44.

No password protection for private Covid tests

When Which? Travel investigated on Friday, we found that the email was correct. We could see Alpha Express Testing customers' private details, including whether they had Covid or not. There was no password protection, and all we needed to do in order to be shown leaked data was change one digit in the reference number.

The revealed details were all of the type that are typically used by criminals intending to carry out identity fraud.

Some customers also reported that they were able to see not just data but also passport photos and the selfies required to register a test.

Fortunately, the person who sent out the email had no intention of using the data he'd found. He just wanted to warn Alpha's customers.

However, one person who received the warning email told us: 'I'm worried that anyone with basic computing skills could have easily downloaded my family's data and used it for fraudulent activities. They would literally have everything they need, not just emails and names but also our pictures, passport photos and numbers, date of birth and so on.'

Private data still online - days after firm is warned and government agency investigates

Alpha Express Testing was warned of the issue on Thursday 14 January and UKHSA (UK Health Security Agency) began investigating on Friday 15 January.

Yet some private customers' data was still freely visible online when we checked at 3pm on Monday afternoon. We contacted both Alpha and the UKHSA again and it had finally disappeared by 5pm on Monday afternoon.

We have not yet received a response from Alpha Express Testing as to what it has done to resolve the problem.

Second Covid testing firm hit by data leak

Which? Travel revealed that a similar data leak happened to another Covid testing firm in October. The firm concerned did manage to resolve the issue and the ICO (Information Commissioners Office) said that no further action was needed. We were told at the time by another test provider that the system required by the government makes these kind of leaks more likely.

It said: 'The format for reference numbers required by the Covid testing for travel system raises the risk of these kind[s] of incidents occurring, if customers' details aren't protected by a password.'

It also said it had warned the Information Commissioner Office (ICO), responsible for enforcing data legislation in the UK, and UKAS (UK Accreditation Service), the organisation responsible for accrediting test providers.

Passport pictures stored online - with no protection

However, this latest leak is arguably more severe because it also included passport photos, selfies and Covid status.

The issue first came to light when customers found that the QR code needed to register the tests wasn't working.

They were directed to an online portal to input their test details manually. One customer then realised that he could see not only data but also customers' photographs and passport scans.

Alpha Express Testing back to selling tests

Over the weekend, Alpha Express Testing and its partner firm My Clear Test both stopped selling or registering tests.

Confused customers weren't told what the issue was. Instead, when trying to register a test result, they saw a message saying that the firms 'had been advised to pause your test while UKHSA look into a matter'.

However, while My Clear Test is still offline for 'essential maintenance', Alpha Express Testing is back to selling and registering tests, even while some of its customers' data is still exposed.

It hasn't made any reference to the data leak, but there is a message on its website saying: 'We have been made aware of a delay on verifications of LFD tests, if you are affected please bear with us as we are working through them'.

Both firms have been removed from the official government list.

The law on data protection

Legally, firms that handle this kind of data are obliged to protect it and to register with the ICO. However, Which? contacted the ICO and the government last summer with our concerns that not all the firms on the list had done this.

Alpha Express Testing and My Clear Test do not appear to have been listed on the public ICO register when the leak occured but they are now on there, with the date registered given as 14 January.

They have not yet responded to a request for comment.

Will the government protect travellers' private data?

Millions of travellers to the UK, both British and foreign, have now been obliged to give sensitive data to the testing firms listed on Gov.uk. When PCR tests were required, there were more than 400 providers of day two tests.

Many of the firms listed were sole traders, not registered with Companies House and with no address given for where they're operating their business. It was extremely difficult to establish who was behind these firms. Some operated more than one portal listed on Gov.uk.

We have asked UKHSA whether the firms listed on Gov.uk will be obliged to password-protect their customers' details and register with the ICO.

It told us that firms on the Gov.uk list are obliged to comply with all relevant legislation. It also said: 'We have removed a private testing provider from the relevant lists on Gov.uk pending further investigation. We take complaints raised very seriously and will not hesitate to remove providers listed on Gov.uk where appropriate.