Info on NHS Coronavirus app leaks out via Google Drive snafu

Careless share settings leak sensitive app roadmap

Info on NHS Coronavirus app leaks out via Google Drive

Wired reports that sensitive documents about the UK’s Coronavirus-tracing app have been carelessly leaked via a publicly accessible Google Drive link.

According to the report, the leaked roadmap of NHS’s controversial Covid-19 tracing app reveals that it could soon show users’ health “status” and ask individuals to share their precise location data:

One document titled ‘Product Direction: Release One’ and marked as ‘OFFICIAL – SENSITIVE’, includes a series of slides showing the app’s future development roadmap. The documents also reveal that officials within the NHS and Department of Health and Social Care are worried that the app’s reliance on unverified diagnoses could be open to abuse and lead to “public panic” that puts extra pressure on the health service.

The documents, which are hosted in Google Drive, were inadvertently left open for anyone with a link to view. Links to the documents were included in others published by the NHS covering the privacy protections in the contact tracing app. Other documents linked to in the document could not be accessed without approval.

There’s significant concern already about how data collected by the UK’s controversial “centralised” app will be secured. One hopes that this easily-avoidable goof isn’t a sign of things to come.

Someone working on the project might want to remind themselves of how you can share files on Google Drive with specific people, rather than with any old Tom, Dick, or Harry.

Sign up to our free newsletter.
Security news, advice, and tips.

The UK’s Coronavirus tracing app is being headed up by Dido Harding, who you may recall was the CEO during TalkTalk’s disastrous data breach.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

4 comments on “Info on NHS Coronavirus app leaks out via Google Drive snafu”

  1. Spryte

    Why would they store sensitive data on "someone else's computer"?

  2. Robin

    Oh boy! Can't wait to get this app, specially with Dido Harding heading it up. Gotta be safe as houses. Yeah, right!

  3. Mark Jacobs

    I just got this on FaceBook – https://pesacheck.org/false-data-from-leaked-email-and-password-databases-belonging-to-the-who-is-not-from-a-new-hack-184bb21d97de

    Apparently, the emails etc. are from a 2016 hack.

  4. otto

    Hi,
    I had the track and trace google / NHS app installed on my tablet unknown to me. How is this possible. I never asked, authorized it or was told.

    I have contacted Asus who pre-install Google service which i can't get rid of but no response as yet. I am unable to find a contact email address for Google but came across your blog.

    I would be interested to know how many other people have had this as its a complete breach of privacy. The app is supposed to be voluntary anyway.

    I'm not very techy so could you spread the word. I don't do social media either.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.