The Indonesian government is exhorting the public to delete a COVID-19 test and trace app that left users’ personal information exposed on an unsecured server.
The data breach in the Indonesian government’s electronic Health Alert Card (eHAC) program was discovered by a research team at vpnMentor led by Noam Rotem and Ran Locar.
The program and the eHAC app were created in 2021 to monitor the coronavirus infection status of people entering the country. Obtaining an eHAC was mandatory for any traveler, including native Indonesians, when entering the Republic from overseas or taking a domestic flight within Indonesia.
Researchers discovered that the app’s developers “failed to implement adequate data privacy protocols and left the data of over 1 million people exposed on an open server.”
In total, 2GB of data belonging to the Republic’s Ministry of Health were exposed on an Elasticsearch server. Researchers said the data included more than 1.4 million records and that approximately 1.3 million individuals had been impacted.
Information left unsecured included Personal Identifiable Information (PII), medical records, contact details, travel information, and COVID-19 infection status.
Researchers noted: “Had the data been discovered by malicious or criminal hackers, and allowed to accumulate data on more people, the effects could have been devastating on an individual and societal level.”
The database of unprotected records was discovered by researchers on July 15. It was reported to the Ministry of Health on July 21 and to the Indonesian Computer Emergency Response Team (ID-CERT) on July 22.
“Our team discovered eHAC’s records with zero obstacles, due to the lack of protocols put in place by the app’s developers,” wrote researchers in a blog post detailing the leak.
“Once they investigated the database and confirmed the records were authentic, we contacted the Indonesian Ministry of Health and presented our findings.”
Despite twice flagging the open database to the Indonesian government and CERT, the researchers only received a response about the security incident in August after contacting Indonesia’s National Cyber and Encryption Agency (BSSN), which shut down the server on August 24.
The eHAC app has now been integrated into a new app called PeduliLindungi. However, the Health Ministry, which publicly responded to the research findings earlier today, urged eHAC users to delete the app as a precaution.