Jersey's digital vaccine passport system has closed just hours after launching due to security concerns.
The government says it has been made aware of 'an exploit with privacy controls' on the platform.
A spokesperson said last night that there had so far been no evidence of a 'major hack or data leak'.
The government announced yesterday afternoon (20 October) that the platform had gone live and islanders could access digital proof of their vaccine status and obtain a QR code.
To do so, they must be registered on the ID verification app YOTI and log into their OneGov account.
People immediately reported problems accessing the platform. A government spokesperson said the wrong link had been sent out, and that lots of people had been trying to log in at the same time.
Officials later announced that it had closed the Covid Status Certificates Platform over security concerns.
Channel 103 understands that it was possible to use a few easy-to-guess data points, including someone’s surname, to obtain a copy of their vaccination records and email them as a PDF.
The system, which is built on Microsoft’s Azure platform, is also thought to have allowed some advanced users to access it without having to be logged in through the YOTI digital ID service.
The government said officers and Microsoft were urgently looking into it.
"... an update will be given once a solution has been found.” - Government of Jersey.
At lunchtime on Thursday, officials provided further details of the 'loophole':
“This flaw does not lie with Yoti, but is rather a loophole with the platform that would allow someone with the date of birth and social security number of another Islanders to access their vaccine certificates."
A spokesperson stressed there is no issue with YOTI and islanders can continue to use it.
Cyber Security Centre CERT alerted the government to the problem, and is working with them to fix it.
We have offered CERT’s support to Officers working on the issue and will be seeking assurance that there is no ongoing risk to islanders.
— CERT-JE (@CERTJersey) October 21, 2021
Matt Palmer, the director of Jersey's Cyber emergency response team, says they were alerted to the issue quickly by a member of the public at around 7pm last night.
"There was a very rapid response to this actually, and one of the things I can say is that no public data was exposed as a result because I've spoken with my government colleagues and they have gone through and checked each request that was made to that system during the time it was online and confirmed that they're all legitimate.
"I can't say enough how grateful I am personally to know that the resident concerned raised this issue, told us about this issue promptly, and spotted it promptly because that allowed it to be addressed before it became a problem.
"When these issues go undetected for a longer period of time, there is a greater risk that data is exposed.
"It's great that it wasn't in this instance, we still need to make sure that government learns the lessons from it and that we make sure that security testing on new applications is rigorous and that these sorts of issues don't get past that testing.
"I appreciate that it is harder to do that when you are up against constrained timelines, when you're trying to deliver applications rapidly as is absolutely the case with the Covid programme, however, we still need to get that balance right and make sure things are rigorously tested so these issues don't arise.
"That absolutely has to be the priority."
Once available, it will be possible to use the QR codes in the UK and France, but not yet elsewhere in Europe or further afield.
They are not required within Jersey.