1. Business
  2. Politics and policy
October 5, 2020updated 06 Oct 2020 4:39pm

“Wholly inappropriate”: Excel use for coronavirus test data slammed by cybersecurity experts

By Lucy Ingham

The news that coronavirus test data was significantly delayed in being added to the UK’s test-and-trace system because of the use of Excel has been met with outrage by IT and cybersecurity experts.

It has emerged that almost 16,000 cases were delayed in being transferred to the test-and-trace system because the government was using an Excel spreadsheet to store the data, with an individual column for each case.

This reportedly caused problems because the maximum number of columns on an Excel spreadsheet is 16,384, meaning the sheet exceeded its maximum size and so failed to update, preventing the coronavirus test data from updating.

Notably, if rows had been used instead, the problem would have been avoided, as Excel supports up to 1,048,576, although many experts are arguing that the software is wholly unsuited to the purpose at all.

“If indeed the government was using Excel to track Covid cases, it is a wholly inappropriate use of the tool,” said Javvad Malik, security awareness advocate at KnowBe4.

“Excel is a very good spreadsheet, but it has its limitations and in no way ever intended to be used as a database.”

Excel “not the right tool” for coronavirus test data

Multiple technology and infosecurity experts have expressed concern over the government’s decision to use Excel for such a sensitive task.

“Whilst the ubiquitous Microsoft Excel spreadsheet can be a useful tool for basic manipulation and analysis of small data sets, it’s clearly not the right tool for the job of correlating and reporting on the national infection rates of the pandemic,” said Matt Walmsley, EMEA director at Vectra.

As well as the failure reported today, there are data privacy concerns over the decision to store coronavirus test results in this way.

“How storing information on medical information in excel files which are then circulated to a wide audience can be seen as anything apart from the outmost temporary of solutions is surprising given the rather strict opinions on data privacy voiced within the European Union over the last few years,” said Martin Jartelius, CSO of Outpost24.

“It is not strange if this was the solution day one, week one, month one, but to see that it’s still in use and having hit the limits of its capacity is more than embarrassing. And to see that the solution has been to “split the file in batches” rather than finding a proper solution to an actual problem even more so.”

A temporary solution?

Some have speculated that while Excel is currently being used to manage coronavirus test results, it is a stepping stone to a more appropriate solution, put in place as a stopgap measure.

“The main benefit of track and trace technology is rapidly being able to notify somebody of any potential exposures. I would speculate that Public Health England are looking to move to a more suitable technology that can provide more granular permissions for users who are creating, reading, updating and deleting information on the current system,” said David Kennefick, product architect at Edgescan.

“Excel may be used to refine the process for implementation into another more suitable technology. The main concerns are: who has access to the data, do they need access, is their access audited and do they have access to only the data that pertains to them being able to perform their tasks in a timely manner.

“Track and trace is very new for most countries, there will be a bedding-in period where these questions must be answered.”

Many are now urging the government to rapidly invest in a more appropriate solution in light of the incident, which not only warped the reporting of coronavirus cases in a UK in a manner that will impair future modelling of the virus, but may have led to some people contracting the virus due to the inability to contact them following their exposure.

“Desktop tools such as Excel should not be used for large datasets, and investment should be made in technology that can securely process large datasets to ensure data integrity and accurate results,” said Paul Norris, senior systems engineer – EMEA at Tripwire.

“Additional problems around spreadsheets are around resiliency and potential data loss, with limited controls on what can be deleted and restored if lost. Backups of this data is harder to manage if in constant use, and security controls need to be adopted to ensure access to the spreadsheet data is not readily available to anyone.”

It also serves as a reminder for businesses about the importance of using the right software for the right job.

“Loosing data due to the limits of the tool reminds us of the need for robust quality assurance along with understanding the risks from manual processes and user error,” said Walmsley.

“As part of Microsoft Office 365, the world’s most popular software as a service offering, let’s hope the UK government has taken a more robust approach to access and security controls around this sensitive data.”

Read more: UK’s coronavirus test and trace fails GDPR requirement