Indonesia is once again contending with a sizable data breach. The personal data of approximately 1.3 million users of the country’s electronic Health Alert Card, or eHAC “test and trace” program, was purportedly exposed when it was stored on an open server, according to a report published by researchers of cybersecurity firm vpnMentor. The leak was possible because the developers of eHAC implemented poor data privacy protocols, the report says.
The Indonesian government requires anyone who wants to enter the country or board domestic flights to fill out a form on eHAC, which can be accessed via the health ministry’s official website or through eHAC’s mobile apps for Android and iOS, which were launched by the ministry earlier this year.
The leaked documents contain sensitive, personally identifiable information, including the national ID numbers of passengers, mobile phone numbers, passport information, and profile photos attached to eHAC accounts, as well as data of passengers’ next of kin. It also has passengers’ COVID-19 test data—hospital IDs, test results, and the dates of the results. Moreover, data from 226 hospitals and clinics in Indonesia were also exposed in the breach.
The vpnMentor research team discovered the leak on July 15. They were able to locate the eHAC database easily as it was completely unsecured and unencrypted. After confirming the data’s authenticity, the team contacted the health ministry to present their findings a week later but received no response. They then reached out to Indonesia’s computer emergency response team, or CERT, on July 22, and contacted Google, which is eHAC’s hosting service provider, three days later. Since the team did not receive any replies from these institutions, they contacted the National Cyber and Encryption Agency on August 22 and received a response on the same day. Two days later, the server was taken down.
In general, COVID-19 tracing apps gather massive amounts of data from users, especially those who have tested positive for the virus, to map virus transmission by using technology like Bluetooth and GPS. However, experts worldwide have expressed concerns over the security of the data amassed by these apps, as the public can be exposed to data breaches and potential harms if developers fail to implement the best practices for privacy and security.
This case also shows how fragile data protection is in Indonesia. In May, the server of the country’s healthcare and social security agency was breached, resulting in the data of 279 million Indonesians being posted on a hacker forum. Two months later, the data of customers of insurance company BRI Life was also reportedly leaked. Evidently, the government and institutions that manage people’s data need to step up their game to protect users’ privacy. However, with unclear regulations and slow investigations when data troves are accessed by malicious parties, it looks like this case won’t be the last data breach that puts millions of Indonesians at risk.
Check this out: Data leaks hit Indonesia’s tech scene