Leak of Dominican COVID Vaccination Data on the Dark Web is Enticing for Cybercriminals and Nation-State Actors

A threat actor leaked the personally identifiable information (PII) of 820,000 people from the Dominican Republic on the Dark Web, including their COVID vaccination status. The threat actor ‘CiberInteligenciaSV,’ which has also published other high-profile leaks impacting Latin American (LATAM) targets, dumped the Dominican data on Breach Forums.

Key PII fields exposed in the data dump include:

- Identification (ID) card number
- name
- sex
- municipality
- birth date
- vaccination data.

The vaccination data exposed by this leak covers total doses, the clinic where the inoculations occurred, date of vaccination, and the type of vaccine administered to the patient.

The source of the hack remains unclear, but a Breach Forums member posting as ‘CTF’ commented on thread, noted that there were some overlaps with the database exposed by the leak of caribetours.com.do user records. Caribe Tours, a Dominican-headquartered tourism company focused on the Caribbean region, was initially hacked by Kelvin Security in April 2022. Kelvin Security is a notorious hacking collective responsible for “more than 300 high-level cyberattacks” since 2020, according to Spanish police. The Record reported that this group has targeted “strategic industries in over 90 countries, including the U.S., Germany, Italy, Argentina, Chile and Japan.” Spanish authorities arrested the alleged leader of this threat actor group in December 2023. However, it is not clear whether CyberInteligenciaSV source for the Dominican data originates from the Caribe Tours breach. CTF also raised concerns that some of the data posted by CyberInteligenciaSV might be inaccurate, as the user cross-referenced ID card numbers with an official Dominican government online portal and saw different names associated with them in some cases.

This leak is nevertheless significant given the amount of COVID vaccination data exposed in the dump. These types of records are valuable to attackers because they represent sensitive health data. This data can be weaponized by financially motivated attackers for targeted phishing attacks and insurance fraud. Alternately, threat actors could also look to sell this data to third parties seeking health-related personal information, including advertisers and employers. Nation-state actors may also be interested in obtaining country-specific vaccination data for espionage or general intelligence-gathering purposes.

Reference to Sinovac:

Reference to Pfizer:

Understanding vaccination rates and distribution patterns could provide hostile intelligence services insights into a country's healthcare infrastructure, pandemic response capabilities, and other demographic characteristics, which can collectively be used for future attacks.

https://dgii.gov.do/app/WebApps/ConsultasWeb/consultas/ciudadanos.aspx

"00400214607","ANGEL","M","","Fase
IVB: menores de 18","A-5YM-F1J-JJ5","2014-10-10","","IVB","65","MONTE
PLATA","ESCUELA RIO BOYA","2","2022-03-29","Sinovac Life Sciences Co.
LTD","Sinovac (CoronaVac)","COVID-19 Vaccine (Vero Cell),
Inactivated","20210703k"

"13100005811","YEIMI
ESMERALDA","F","","Fase IVB: menores de
18","A-YV8-SBZ-KFZ","2015-12-01","","IVB","65","BARAHONA","UNAP
FUNDACION","1","2022-03-29","Sinovac Life Sciences Co. LTD","Sinovac
(CoronaVac)","COVID-19 Vaccine (Vero Cell), Inactivated","20210703k"

Significance

The leak of Dominican PII and vaccination data on the Dark Web further illustrates the heightened targeting of Latin America (LATAM) by threat actors. With rapidly accelerating rates of smartphone penetration and Internet connectivity, cyberattacks have soared to an “all-time high” in the LATAM region, according to a Reuters story published last year. Concurrently, LATAM also had the “highest share of unprotected data in the world in 2022,” according to Reuters. LATAM’s deep online connectivity has thus significantly elevated regional risks for data theft and cybercrime.

Another key trend illustrated by this data leak is the prioritized targeting of health data by threat actors. Beyond COVID vaccination records, health data is particularly valuable to attackers because the “theft of medical records is harder to detect than other types of personal data,” according to trade publication HIPPA Journal. Due to these detection challenges, “medical records can be misused for longer than other types of personal data to commit identity theft, obtain medical services fraudulently, and other nefarious purposes,” writes HIPPA Journal. This heightened longevity of abuse inherently makes health data more valuable to attackers and is the primary reason that the healthcare sector persists as one of the most targeted sectors.

In this combined regional and sectoral threat landscape, organizations and everyday consumers in LATAM need to enhance their digital hygiene and take greater precautions against cyber risks. The democratization of modern cyber-threat intelligence (CTI) empowers Dominican citizens and broader LATAM consumer populations to mitigate malicious risks that may emerge from their PII or health data being leaked on the Dark Web. The use of a convenient CTI mobile app equips people in the LATAM region with a 360-degree view of their Dark Web data footprint, arming them with the cyber awareness needed to avoid becoming victims of financial fraud and identity theft. To learn more about how enterprise and retail customers in LATAM can protect their digital identities, Resecurity can help.