DATA BREACH BLOWBACK - JAMCOVID exposure a treasure trove for scammers, says expert
The exposure of personal data for tens of thousands of Jamaican and international travellers on the Government’s much-touted JAMCOVID web portal has triggered fears that the breach could threaten confidence in the Holness administration’s proposed...
The exposure of personal data for tens of thousands of Jamaican and international travellers on the Government’s much-touted JAMCOVID web portal has triggered fears that the breach could threaten confidence in the Holness administration’s proposed National Identification System (NIDS).
The application, developed by the Amber Group, allows users to enter personal data, including medical records, before they are given approval to enter Jamaica. The application is also used to track the movement of those placed in quarantine.
Alarm bells went off on Wednesday when American online newspaper TechCrunch exposed that a cloud storage server with uploaded documents had been left unprotected, leaving thousands of files at risk on the Internet.
It was reported that more than 70,000 negative COVID-19 lab results, over 425,000 immigration documents authorising travel to the island – including identity and passport information – and more than 250,000 quarantine orders dating back to June 2020 were at risk.
The server, which reportedly contained more than 440,000 images of travellers’ signatures, exposed more than 1.1 million of those who had been placed in quarantine and uploaded self-check-in videos.
Jamaica House said on Wednesday that it launched an investigation to determine whether there were breaches of travellers’ data security.
Several calls to Dushyant Savadia, Amber founder and CEO, went unanswered on Wednesday.
The extent of the legal troubles facing the Government depends on whether Governor General Sir Patrick Allen signed the recently passed Data Protection Act into law.
Attorney-at-law and data-privacy specialist Chukwuemeka Cameron nonetheless argued that the doomed first edition of the controversial National Identification Registration Act, which undergirded NIDS, re-established the right to privacy.
“Data breaches will happen. The Government needs to demonstrate that they understand the seriousness of the breach and take the active remedial steps,” Cameron told The Gleaner on Wednesday.
The attorney said that all persons whose data might have been compromised should be informed formally.
The national security ministry said it has contacted those whose data might have been breached but did not say how many persons were contacted.
One person who landed in Jamaica twice since the application was launched, told The Gleaner she gave up her information willingly to the Government, knowing the pandemic had pushed the envelope.
Tahira Marshall, who travelled to Jamaica in July and November 2020 during the coronavirus pandemic, admitted that she had initial concerns about the amount of data being collected but looked past her concerns because she believed her information was secure.
But on Wednesday when news broke of the breach, she “was taken aback”.
“Now that the information is out there, I am not sure what anyone can do with that information,” the 24-year-old student and entrepreneur told The Gleaner.
“That’s a lot of private detail and someone can easily hack your information and steal your identity, so that’s very concerning to me.”
Gavin Dennis, a consultant and director of G5 Cyber Security Company, echoed Marshall’s concern, reasoning that the data potentially offered the perfect lead sheet for lottery scammers, who have targeted mainly elderly North Americans.
“This security incident will cause citizens to be more sceptical of the Government’s ability to properly secure NIDS,” Dennis predicted.
Cameron, though, said that the scale of the data breach was immaterial to a defence.
“There is no difference between 1,000 records being exposed as opposed to half a million,” Cameron quipped.
The attorney-at-law told The Gleaner that the information commissioner’s office needs to be established and come into effect very quickly.
“That will be the guardian of our personal data,” he said.
Cameron has raised whether the Data Protection Act should be amended to make data processors subject to the law’s reach.
“Only the data controllers are subjected to it, and in this instance, it would be Government of Jamaica, either through the Ministry of National Security, or Ministry of Health, or the Office of the Prime Minister,” he noted.
The Opposition People’s National Party put the Government on alert that it would be pressing National Security Minister Dr Horace Chang and his permanent secretary on the issue this week.
“Platitudes and assurances don’t have much currency in matters like this,” PNP spokesman Hugh Graham said in a statement Wednesday evening.
“What Jamaicans and the potential victims of identity theft want is a clear demonstration of competence.”
The Government has deepened its relationship with the Amber Group since the roll-out of the JamCOVID-19 application.
In January, the Amber Group inked a deal with the Government to have Jamaican youth trained to code, facilitated through the HEART/NSTA Trust.