The Dysfunctional Vaccine Rollout Is Creating Even More Opportunities for Cybercriminals

Connor Fairman is a research associate in the Digital and Cyberspace Policy program at the Council on Foreign Relations.

The COVID-19 vaccine rollout has been mired by cybercrime and digital dysfunction. Vaccines have been made available in a sporadic and decentralized manner, creating opportunities for threat actors to wreak havoc on counties tasked with administering doses and Americans frantically trying to find open appointments. As vaccine distribution continues, greater efforts should be made by authorities and online platforms to ensure a smooth and secure process.

The hectic vaccine rollout has disproportionally hurt one of the most vulnerable sectors of the population: older adults who have been forced to become early adopters of digital vaccine resources in order to receive their vaccinations. Scammers have always targeted older adults, but heightened fears about COVID-19’s effects on the elderly and the disorganized distribution of vaccines have made them even more vulnerable.

There have been numerous reports of online vaccine scams, particularly in Florida, which has the second-highest proportion of older adults in the United States. Several health departments in the state have set up Eventbrite pages for people to register to receive a vaccine, arguing that it is the fastest way to offer appointments. However, cybercriminals have created their own fake events and registration pages that promise people a vaccine in exchange for a fee (COVID-19 vaccine registration is free). Elsewhere, investigations have uncovered scams promising vaccines over Facebook and email—only to steal people’s money and information and infect their devices with malware.

Some counties and local health systems have launched their own websites for people to schedule vaccine appointments. To register, people enter their personal information, and, in some circumstances, social security number. There is minimal transparency around how this information is stored and whether it is secured. Moreover, many local providers likely lack the resources to keep people’s personal information safe from experienced hackers or to detect breaches if a hack does occur. As the amount of personal data being entered into vaccine registration websites increases, so too does the temptation for threat actors to steal it.

Another consequence of the decentralized rollout has been that people have been incentivized to sign up for multiple appointments to get vaccinated, due to reports of appointments being cancelled and hopes that earlier slots could open up. There is currently no way for providers to check if someone has already signed up on a site outside of their purview. As a result, people that would ideally be vaccinated quickly will have to wait longer than expected because some individuals have registered for multiple appointments.

Services like Eventbrite and Facebook were likely not created with the scenario of scammers selling fake vaccine appointments in mind. Nonetheless, they are responsible for ensuring that their platforms are not abused by criminals looking to exploit panic. Eventbrite has removed fake vaccine events after they have been reported but unfortunately too late to save their victims from being duped out of their money. To prevent continued abuse of their platforms, companies should quickly adopt automated tools for detecting vaccine-related events and products when they are created by their users. This could be as simple as an application that alerts moderators when it detects certain keywords, or as sophisticated as one that determines to a degree of certainty whether content is fraudulently advertising a vaccine.

If offered the right incentives, a platform like Eventbrite could take the additional step of “forking,” or creating a spin-off of its flagship events website focused on vaccine registration for authorized distributors to use. This would save counties the trouble of creating their own registration websites and handling the influx of sensitive patient data. Having suffered a major data breach in 2018, Eventbrite has made an effort to highlight its improved cybersecurity and data privacy measures on its website.

The issue of people signing up for multiple appointments could be addressed by Rob Knake’s digital identification proposal. Under this initiative, the U.S. Postal Service (USPS) would offer digital identity verification services, allowing people to prove that their information has been validated by the U.S. government and avoid entering it online multiple times. In this case, USPS would check to see if someone registering for a vaccine had done so already. Movement on this initiative will never match the pace of the initial vaccine rollout, but, since getting a COVID-19 vaccine could become an annual rite, it could be time for the federal government to get back on the path [PDF] toward offering digital IDs.

The current trajectory of the U.S. vaccine rollout opens the door for cybercrime and chaos in the digital realm on par with the rise of cybercrime we witnessed in 2020. It is time for authorities to partner with platforms for safer, more efficient scheduling and lay the groundwork for better ID verification to ensure that every appointment goes to someone who will use it.