Another JAMCOVID lapse
In another stunning development, the JAMCOVID-19 website up to Thursday evening was found to be publicly revealing personal information associated with over half-million quarantine orders issued by the Ministry of Health and Wellness. Discovery of...
In another stunning development, the JAMCOVID-19 website up to Thursday evening was found to be publicly revealing personal information associated with over half-million quarantine orders issued by the Ministry of Health and Wellness.
Discovery of this latest lapse comes as the Office of the Prime Minister said it has enlisted foreign investigators to assist the criminal probe into the alleged breach of the $57-million website, which the Amber Group developed and gave to the Government for free last year.
Quarantine orders are issued by the ministry, mandating travellers to stay at a designated location for 14 days to prevent the spread of the coronavirus.
Under the law, most recently amended on February 1, data gathered for electronic monitoring “shall be deleted upon the expiration of the quarantine”.
Up to 6:30 p.m. on Thursday, cybersecurity experts alerted The Gleaner to how they were able to view thousands of quarantine orders issued by the Ministry of Health and Wellness to residents across the island.
The links were shared by the US online newspaper TechCrunch and verified by local experts as being unsecured.
The section of the website was not secured by a password or required any form of credential to be accessed, and the number of orders appears to exceed 500,000 and go as far back as March 2020.
The details that have been exposed in the latest security flaw include the exact address where the person issued the order was staying and details surrounding when the document was issued and accepted, including the signature of a senior health ministry official.
Shortly after questions were sent to Amber on this latest issue, the links were later “unreachable”, and the entire JAMCOVID website was later inaccessible and “under maintenance”.
“We will be back shortly,” read a notice.
Along with providing information on COVID-19, the JAMCOVID application allows users to enter personal data, including medical records, before they are given approval to enter Jamaica.
The application is also used to track the movement of those placed in quarantine.
This lapse continues to contradict the developer of the application, Amber Group, which has insisted that “there are no vulnerabilities that could lead to any exposure or breach”.
The first flaw was “discovered on February 16, although the US reporter who broke the story, TechCrunch’s Zack Whittaker, has produced emails suggesting that health ministry officials were informed on February 14, 2020.
The second one was revealed on February 22 when an environment file containing passwords and other credentials to the backend of the application was reportedly found exposed.
Amber claimed that the file contained expired information although security experts say the environment file was needed for the application to operate.
It was revealed, too, that Amber only deleted the file after it was brought to its attention by Whittaker, a security editor at TechCrunch.
The Government announced a criminal probe into an “alleged breach” of JAMCOVID on February 17, but that has not quieted critics, including the Opposition, who have been demanding more details on the due diligence and monitoring.
Savadia boasted in a statement to The Gleaner that an assessment done by a “leading” international cybersecurity provider indicated that “there are no further vulnerabilities” that could lead to a data breach or exposure.
A request for a response from Amber was not answered up to press time Thursday night.
Earlier on Thursday, the Office of the Prime Minister said that while there was evidence of unauthorised access, there was “no evidence of data exfiltration”.
“The probe by the multiagency cyber analysis team is ongoing, and the public will be advised further as the investigation progresses,” noted the statement issued after a meeting of the National Security Council.
The OPM also sought to address concerns that the criminal probe may include a focus on the US reporter who himself has argued that the investigation appears to target him.
“While we acknowledge that there may be persons acting without malicious intent,” OPM said, “Jamaican law requires that all instances of unauthorised access be investigated and, in fact, this would be the only way we could determine whether the access was malicious or not.”
Undisclosed “overseas law enforcement partners” have been reached for support, the office added.
The Jamaica Computer Society has also shared its concern about how the Government has been handling the issue.
“The JCS believes that honesty and transparency with the public regarding the matter is imperative to ensure accountability by the responsible parties, appropriate handling of the errors, and restoration of confidence,” said Stacey Hines, the society’s president, in a statement.
The Government said a review of 162 state websites and networks has been done, with another 100 to go.
“Any credible vulnerabilities that are identified are concurrently being rectified.”