Indonesia has started to investigate a potential data breach concerning its old Covid-19 tracing application which allegedly affected more than a million Indonesians. The app in question concerns the electronic Health Alert Card (eHAC) that has been out of commission since July 2 this year.
According to Bloomberg, this is the second data breach that affected Indonesia in a span of three months. A health ministry official announced the suspected data security breach on Tuesday, August 31, 2021.
The eHAC system was previously used by the Indonesian government for various tracing initiatives, including the recent virus pandemic. Reuters reports that the mobile application was used by travelers to disclose their current status and whether or not they are carriers of the virus.
It is now under the Peduli Lindungi (Care Protect) app which is now the primary means by which the Indonesian government addresses its contact tracing efforts. Apart from traveling, the app is also being used upon mall entry, states Reuters.
Researchers from vpnMentor revealed in a blog post on Monday, August 30, 2021, that the personal information of more than 1.3 million Indonesians was vulnerable. These included their names, contact details, as well as the respective Covid-19 test results.
Moreover, the type of test conducted, as well as the date and place the test was issued, and the eHAC and hospital ID were also made vulnerable.
In addition, vpnMentor researchers also mentioned that the exposed server also showed confidential information across 226 hospitals and facilities in the country, including the hospital details, the passenger’s doctor, the guardian or person responsible for the passenger, the types of passengers allowed in the facility, and many others.
On top of these, passenger details were also compromised. These include the full name and ID number of the passenger, their respective mobile number, gender, date of birth, citizenship, Indonesian ID number, passport, and profile photo.
Based on the findings of the researchers over at vpnMentor, they said that the developers hired by the Indonesian Ministry of Health failed to provide the necessary data privacy protocols essential, thus leaving the data within the app exposed on an open server.
Following the suspected data breach affecting millions of users, Bloomberg said the health ministry head of data center and information Anas Maruf remarked that “An investigation is being conducted, as well as further examination into the leak.”
Maruf also said, “the eHAC from the old version is different from the eHAC system that is part of the new app. Right now, we’re investigating this suspected breach,” reports Reuters.
Indonesians are told to immediately delete the unsecured Covid-19 tracing application. Reuters said that Maruf mentioned that the breach may have stemmed from a partner firm, but declined to provide more details.