The electronic Health Alert Card, or eHAC, a COVID-19 tracing program built by the Indonesian Ministry of Health this year, has been analyzed by cybersecurity organizations. It has been determined that it has been breached. Moreover, the researchers have stressed that the application does not implement proper data privacy protocols, which exposed the private information of over one million users of the application through an open server.
The main goal of the eHAC app is to collect COVID-19 test results from users, particularly those going to Indonesia. It also tracks the user’s health status, personal and contact specifics, and COVID-19 test results, along with other vulnerable data. The app has also been a requirement for everyone, not just for overseas travelers but also for Indonesian residents who travel domestically.
The researchers have uncovered the data breach from their investigation and concluded that the eHAC application lacks proper security protocols.
They immediately reached out to the Indonesian Ministry of Health after confirming the findings against the said app.
Although after several days of waiting for the ministry’s feedback, the security researchers have not received a response, so they contacted the Computer Emergency Response Team agency of Indonesia instead, up to eHAC’s hosting provider, Google – to no avail. They also tried contacting BSSN or Badan Siber dan Sandi Negara. This government agency also carries out cybersecurity activities, and fortunately, the agency has responded the same day that they reached out. The server was taken down just a couple of days after their communication with BSSN.
The researchers have reported that the eHAC application developers have executed an unsecured and Elasticsearch database in storing more than 1.4 million records from the estimated 1.3 million users of the eHAC app. In addition to the reports about the issue, all of the infrastructures within the app are found to be exposed. These include Indonesian hospitals and government officials’ private data that has used the app. However, the Indonesian Ministry of Health and Foreign Ministry has yet to respond to the problem.
Passports and national Indonesian ID numbers were some of the detailed exposed private user information from the eHAC app. Aside from it, COVID-19 test results, addresses, birthdays, jobs, phone numbers, and ID numbers are also included with the leak. Even the eHAC staff members themselves have been victimized by the leak since their sensitive information has been stored with the app.
It could have been a devastating problem had all the exposed data been quickly discovered by active criminal hackers. The information stored in the app is susceptible and could be useful for manipulating cyber threats. The researchers stated that it is essentially easy for any experienced hacker to pretend to be a health official and implement scams against the 1.3 million users that have gotten their data exposed.
Moreover, this issue would inflict great mistrust against the Indonesian government had the people learned that their private information was exposed to breach due to negligence in implementing advanced security protocols in the app that they were required to install in the first place.
Under these circumstances, the security researchers advise the people who have used the eHAC app to directly reach out to the Indonesian Ministry of Health. The app developers should also make more effort to ensure the security of their servers and implement proper security protocols.
