Private data of travellers was freely available to see on the internet, after Covid testing firm Biogroup failed to protect it with a password.
We discovered that accidentally typing one wrong digit when inputting the reference number for a Covid test on the Biogroup website meant that you'd see somebody else's details, including their name, address, telephone number and date of birth. These are all details commonly used in identity fraud. There was no password protection.
One Which? staff member who had used the firm contacted it with the subject heading 'urgent' when she realised that her data wasn't protected, but it did not reply.
Biogroup, based in France, runs what it described in December as one of the UK's largest Covid-testing laboratories, a 'megalab' in west London. It provides PCR and rapid lateral flow tests.
We warned Biogroup about the issue on 14 September and on 17 September it said that it had resolved the problem and reported the leak to the Information Commissioner's Office (ICO), responsible for upholding data rights in the UK. The customer profiles we'd previously seen exposed were now protected.
We contacted Biogroup again on 18 October and it said:
'Biogroup has rectified the root cause of the incident and will continue to pressure test its software systems to ensure no issues exist in the future. No system is infallible, and we will continue to learn and improve ours through our customer engagement. This is our guarantee to our customers.'
It also forwarded us the results of its internal investigation which suggested that, although approximately 5,700 people could have been affected in a worst-case scenario, it does not consider there was a high risk of anyone's data being used maliciously. It said that after it took action the risk ceased to exist.
Providers of the Day two tests needed after foreign travel are required to ask for details of ethnicity and vaccination status, as well as passport numbers, addresses and phone numbers.
Biogroup does at least comply with the law on looking after customers' private information, but other firms on the government list seem to have ignored it.
There's an obligation for anybody handling private data to register with the Information Commissioner's Office (ICO) but, when we looked in summer, many Covid test firms had not done this.
Some are sole traders, not registered with Companies House and with no address given for where they're operating their business. It's extremely difficult to establish who is behind these firms and yet they're responsible for gathering and collating data which is given to the UKHSA (UK Health Security Agency).
We contacted the ICO earlier this summer with our concerns. It told us that it hadn't investigated any Covid testing firms but that it had provided advice to them via UKAS - the United Kingdom Accreditation service responsible for accrediting Covid test providers.
However, many smaller providers, which just act as intermediaries between labs and the customer, do not have to be accredited by UKAS. They can simply self-declare that they meet the required standard to provide tests, so are unlikely to have seen this advice.
On 24 October, the government removed the requirement for fully vaccinated travellers to take PCR day two tests when returning to England and Wales, although unvaccinated travellers will still need them, as will those returning into Scotland and Northern Ireland.
Those eligible to go without day two PCR tests will instead need a lateral flow, also known as rapid antigen, day two test bought from certain designated suppliers. These are also likely to require travellers to provide personal information to be given to Public Health England or the equivalent authorities in the rest of the UK.
You won't be able to use free NHS tests. Instead you'll have to book your private lateral flow test before coming into the country and then take a photo of the result to send to the provider. You can see more information on here.