Indonesia’s Covid-19 App leaked healthcare data of 1.3M travelers

The test-and-trace app exposes users personal and sensitive data on an open server

Information related to personal details and healthcare got leaked on the server for anyone to see. At least 1.3 million people affected

vpnMentor's research team discovered a massive data breach and information exposure in the Indonesian government’s electronic Health Alert Card or eHAC program created to fight back and manage the COVID-19 pandemic spread in the country. It is stated that eHAC is a test-and-trace app for people entering Indonesia and it is used to ensure that travelers aren't carrying the virus into the country. The app was presented to the public in 2021 by the Indonesian Ministry of Health.

It seems that app developers failed to implement safe data privacy protocols and left the data of over 1 million people exposed on an open server. About 2 GB of data, 1.4 million exposed records, 1.3 million exposed people, and information like personally identifiable data, travel details, medical records, and COVID-19 status are now for easy grab online. However, for hackers, even more, information could be used.

Type of passenger ID, hospital ID, queue number while doing the test, reference number, address for a home visit, type of test, the result of said test, and date are also compromisable. Such sensitive details, especially medical information, could be used in fraud, hacking, disinformation, and other criminal campaigns. However, these records didn’t just expose the users. Data leak exposed the entire infrastructure around eHAC, including private records from hospitals and Indonesian officials.^[1]

A serious investigation is promised

After a long silent period, Indonesian officials finally addressed the matter. Anas Ma'ruf, a health ministry official overseeing data, said the government was looking into the breach, however, he stressed that the flaw was in an earlier version of the app, which has not been used since July. One way or another, the government has issued the investigation process and officials urge people to delete the old app.

It is unclear as of right now what is the reason for such a huge data leak but several experts speak out that such data breaches point to Indonesia's weak cyber security infrastructure. Back in May authorities also launched an investigation into an alleged breach of social security data from the country's state insurer. Personal data involving millions of people were being sold.^[2]

Covid-19 related information has been leaked before as well. In August around 38 million records from thousands of web apps that use Microsoft's Power Apps portals platform were left exposed online. The records had sensitive information like data related to COVID-19 contact tracing, vaccine registrations, and employee databases, such as home addresses, phone numbers, social security numbers, and vaccination status.^[3]

Covid-19 apps come with a certain danger for data leak

Researchers discovered data leaks as part of a broader effort to reduce the number of data leaks from websites and apps around the world. It was announced that there were zero obstacles to find sensitive information from the app, due to the lack of protocols in place. Researchers contacted the Indonesian Ministry of Health and presented their findings. However, no reply came from that.^[4]

After some time concerned experts then contacted Indonesia's Computer Emergency Response Team agency and later, even Google which provides hosting for eHAC's. However, no comment came from neither of the governmental agencies as well. Finally, after contacting the BSSN (Badan Siber dan Sandi Negara), which carries out activities in the field of cyber security, researchers got the response and on August 24th the server was taken down.

The Indonesian Ministry of Health and Foreign Ministry did not offer any explanation of the situation at first and it isn't shocking. Covid-19 apps and all types of documentation are emerging all over the world and right now everyone is using them. Alternative variations of such things could be found in various countries as the particular app or a document provides personal information and medical details. If somehow it would be leaked, everyone using the national Covid-19 certificate could become a victim.^[5]

Hackers may be able to use such apps for scams. Depending on how they’re built and the kind of data they gather, some apps may contain highly sensitive information and other PII. Therefore, any data that can identify a specific individual is valuable to hackers. If hackers were to compromise an app, this could cause big problems for app-makers as many people are already concerned with the safety of such innovation.^[6]