Editorial | Gov’t must immediately tighten its data security
Last week’s discovery of a security lapse on Jamaica’s JamCOVID that left the private information of tens of thousands of people open to scrutiny on the public Internet demands far more than dire warnings of the consequences people could face, under the Cybersecurity Act, if they helped themselves to the trove of data.
But even as it investigates this failure, the Government should have already undertaken a comprehensive security audit – if one isn’t already under way – of all its databases, to ensure that their fail-safe systems are more robust than was the case with the JamCOVID site, and that the information they hold, belonging to millions of citizens, are not as vulnerable as that uploaded to the JamCOVID site by people seeking to visit the island. At the same, the Government should publicly commit to the standards prescribed by the Data Protection Act for the security and management of people’s private information, even before that law, approved by Parliament last year, is promulgated.
Further, the lessons of the JamCOVID affair shouldn’t be lost to the parliamentary committee hearings into the proposed law for a voluntary national identification system (NIDS), confidence in which would have taken a heavy hit from the current fiasco. An earlier version of the NIDS law, which would have made the national ID compulsory, was struck down as unconstitutional by the Supreme Court.
The JamCOVID web portal and the app that feeds it were developed by Dushyant Savadia’s Amber Group to manage applications for travel to Jamaica in face of the COVID-19 pandemic, and to monitor the people who actually come to the island. The data is stored in the clouds, hosted by Amazon Web Services (AWS).
Last week, the online technology publication, TechCrunch, revealed that the “storage server storing those uploaded documents was left unprotected and without a password, and was publicly spilling out files on to the open web”.
The volume of data on the site wasn’t previously disclosed. However, TechCrunch reported that it contained:
“more than 70,000 negative COVID-19 lab results, over 425,000 immigration documents authorising travel to the island – which included the traveller’s name, date of birth and passport numbers – and over 250,000 quarantine orders dating back to June 2020”. Additionally, the report said, there were 440,000 images of people’s signatures.
That is a lot of information with which bad actors might have made, and may still use to make mischief. So, the Government’s reminder about the law on the unauthorised use of data is understandable, as is its request for the police’s cybercrimes unit to investigate the matter. So, too, is its commissioning of a review of the entire episode.
We welcome the insistence on a quick turnaround.
CLARIFY TWO ISSUES
Yet, there were at least two issues that could, and ought to have been immediately clarified, to avoid any sense of a delay to get ducks in a row. It was announced that the account under which the data is hosted on the Amazon server is owned by the Government. What that doesn’t say is if it was managed by the Government, or by a third party – an independent contractor – on behalf of the Government.
And very critically, it should have been known, and ought to have said, whether before TechCrunch’s revelation, the data was under a security lock, which might have been breached. That would give a sense of how long it may have been since the data was susceptible to malicious or other forms of interference.
If the data was never under a security lock, that would be a most egregious lapse of cybersecurity protocols. Perchance the system was secure but hacked, then there are questions about effectiveness of the security arrangements, in the first place. There would be questions then about how often sweeps were conducted to identify and catch hackers, phishers and trollers.
The implementation of the Data Protection Act, we appreciate, can’t be done until its supporting infrastructure is in place, including the data commission, the tsar, who will oversee and enforce regulations.
The law establishes rigid standards under which “data controllers” – individuals and institutions who collect and process sensitive information about other people – must store and manage that data. Importantly, the rules also apply to government institutions, which, it seems to us, means that they, like the private sector, will also have to appoint “data protection officers”, who will be responsible for “monitoring in an independent manner the data controller’s compliance with the provisions of this act”.
It is likely to be some time before that regime is in place. But the JamCOVID debacle will further erode people’s willingness to entrust their information to the Government lest it be made public via the Internet, or for fear of some bureaucrat or minister sticking his or her nose into their affairs towards an unholy end. There are also concerns about an overly intrusive state.
It is against that backdrop that while we await the findings of the JamCOVID review, the Government should announce that where, in its own shop, it doesn’t meet the minimum standards of the Data Protection Act, it will immediately move to them.
The law obligates data controllers who have a breach of security that put people’s information at risk to inform the affected persons about the possibility. There is a great moral obligation for the Government to do so in this case.