The government has been hit with another massive data breach scandal, this time involving a COVID-19 test and trace app, but so far its only solution is to recommend users to delete what is now effectively an obsolete app.
A report by cybersecurity research firm vpnMentor published earlier today said that 1.3 million users’ sensitive data — including ID, address, and health history — from the Indonesian Health Ministry’s electronic Health Alert Card (eHAC) app were exposed in an open server. The app, which was created in early 2021 and held users’ COVID-19 test data, was mandatory for domestic travel for both Indonesian citizens and foreigners.
Regarding the leak, vpnMentor said: “Our team discovered eHAC’s records with zero obstacles, due to the lack of protocols put in place by the app’s developers. Once they investigated the database and confirmed the records were authentic, we contacted the Indonesian Ministry of Health and presented our findings.”
However, vpnMentor said it did not receive a response from the ministry after it flagged the issue in late July. It was only after vpnMentor contacted Indonesia’s National Cyber and Encryption Agency (BSSN) on Aug. 22 that the firm received a response from Indonesian authorities. On Aug. 24, BSSN shut down the server.
The Health Ministry publicly responded to the report today, urging users to delete the eHAC app as a precaution, especially since we no longer depend on the app.
“Since July 2021, we have been using the PeduliLindungi app, and eHAC has been integrated into that app. The system that was in the old eHAC is different to the eHAC that’s integrated into PeduliLindungi,” Health Ministry Data and Information Center Head Anas Ma’ruf said during a press conference today.
According to Anas, data stored in PeduliLindungi’s servers is better protected thanks to BSSN and the Information and Communications Ministry.
The ministry did not provide an explanation for the report’s claim that the old eHAC app’s cybersecurity was virtually non-existent, nor did it offer anything in the way of an apology.
But that’s probably because private data protection is rarely taken seriously in Indonesia amid repeated calls from experts for the country to strengthen its cyber and data protection laws. There have been no long-term commitments to strengthen cybersecurity in the country following massive data breaches in the past, including a social security data leak of 279 million people (including the deceased) in May 2021 and how the data of 91 million users of e-commerce platform Tokopedia were traded online in June 2020.