Information associated with more than a million people has been exposed due to a breach in the Indonesian government’s electronic Health Alert Card (eHAC) ‘test and trace’ program, created for people entering Indonesia to ensure they’re not carrying Covid-19 into the country.
This is according to researchers from vpnMentor, who claim to have discovered the data breach in the eHAC program.
As reported by media outlet ZDNet, the eHAC app was established in 2021 by the Indonesian Ministry of Health and was made to tackle the Covid-19 pandemic spread in the country. It is a mandatory requirement for any traveller entering Indonesia from overseas, both Indonesian citizens and foreigners.
The eHAC app is typically downloaded onto a passenger’s mobile device and stores their up-to-date health status, Personally Identifiable Information (PII) data, contact details, Covid-19 test results and much more.
However, Noam Rotem and Ran Locar from vpnMentor’s research team claim that the app developers failed to implement adequate data privacy protocols when creating the app, leaving the data of over a million people exposed on an open server.
According to vpnMentor, the developers of eHAC app were using an unsecured Elasticsearch database to store over 1.4 million records from approximately 1.3 million eHAC users.
“These records didn’t just expose the users,” vpnMonitor said in an online post. “This data leak exposed the entire infrastructure around eHAC, including private records from hospitals and Indonesian officials using the app.”
VpnMentor also claimed that its cyber security team discovered the exposed database as part of a broader effort to reduce the number of data leaks from websites and apps around the world.
“Our team discovered eHAC’s records with zero obstacles, due to the lack of protocols put in place by the app’s developers,” the company claimed. “Once they investigated the database and confirmed the records were authentic, we contacted the Indonesian Ministry of Health and presented our findings.
“After a couple of days with no reply from the ministry, we contacted Indonesia’s CERT [Computer Emergency Response Team] agency and, eventually, Google – eHAC’s hosting provider,” it added.
By early August, vpnMentor claimed, it had not received a reply from any of the concerned parties.
“We tried to reach out to additional governmental agencies, one of them being the BSSN (Badan Siber dan Sandi Negara), which was established to carry out activities in the field of cyber security. We contacted them on August 22, and they replied on the same day. Two days later, on August 24, the server was taken down,” the company said.
VpnMentor said that the data leak has wide-ranging implications for eHAC and the Indonesian government’s efforts to contain Covid-19.
“Had the data been discovered by malicious or criminal hackers, and allowed to accumulate data on more people, the effects could have been devastating on an individual and societal level,” it said.
News of the breach comes just a handful of months after it was revealed that more than 300,000 files and documents, some of which contained sensitive information, belonging to the Office of the Solicitor General of the Philippines were accessed by an unknown party.
UK-based cyber security provider TurgenSec said in an online post published earlier this year that the data breach contained files ranging from documents generated in the day-to-day running of ‘the Solicitor General of the Philippines’, to staff training documents, internal passwords and policies, staffing payment information and information on financial processes and activities including audits.
The breached information also included several hundred files titled with presumably sensitive keywords such as “Private, Confidential, Witness and Password,” the company said.