The leak came from the electronic health alert card (eHAC) app. eHAC was mandatory for anyone entering Indonesia from abroad and for anybody who wanted to board domestic flights. Travelers were required to download the app and provide the app with personal data, including contact details and their latest COVID-19 test results.
Researchers from encryption and cybersecurity firm vpnMentor informed the Indonesian government that eHAC became accessible to hackers "due to the lack of protocols put in place by the app's developers."
"Our team discovered eHAC's records with zero obstacles, due to the lack of protocols in place by the app's developers," said the vpnMentor research team. "Once they investigated the database and confirmed the records were authentic, we contacted the Indonesian Ministry of Health and presented our findings."
"An investigation is being conducted, as well as further examination into the leak," said Anas Ma'ruf, head of the data and information center in the health ministry.
An older version of the eHAC app was decommissioned on July 2. A newer version had its features integrated into Peduli Lindungi, a new app which the government has promoted for contact tracing, tracking COVID-19 vaccination status and as a vaccine passport for entry into malls. (Related: Vaccination tracking apps ineffective, amplify inequalities, pose privacy issues: report.)
Ma'ruf said the potential flaw came from the decommissioned version of eHAC. He assured Indonesians that any flaws in that old app have not been integrated into Peduli Lindungi.
"The eHAC from the old version is different from the eHAC system that is a part of the new app," he said. "Right now, we're investigating this suspected breach."
Despite these assurances, the Indonesian government still believes that eHAC's developers are to blame for the leak.
While the investigation is ongoing, Ma'ruf asked Indonesians to delete the old app. VpnMentor researchers said the leak could expose people to phishing or hacking attempts.
Ma'ruf added that the current eHAC system integrated into Peduli Lindungi is now being managed by the government and not by a third party. Thus, he claimed its safety is now guaranteed.
The data leaked included full names, contact information, dates of birth, citizenship status, job status, photographs and passport and national Indonesian ID numbers.
According to vpnMentor's research team, the Indonesian government attempted to avoid talking about the data breach.
The vpnMentor research team said that it did not receive any message from the Indonesian government until late in August, several weeks after the team first informed the health ministry of the breach.
After its first attempts at reaching out to the government failed, vpnMentor instead reached out to other government ministries, including one department that was responsible for responding to cybersecurity threats. The researchers even attempted to contact Google, which hosted eHAC's servers.
VpnMentor did not get a reply until Aug. 22. Two days later, on Aug. 24, the old eHAC servers were finally taken down.
The Indonesian government has done little to nothing regarding the leaked data other than to take down the servers and inform the public that the breach occurred.
The vpnMentor researchers warned that private information regarding Indonesian hospitals has also been leaked. This includes the personal information of people working in at least 226 hospitals and clinics all over Indonesia, as well as the names of the people responsible for testing travelers for COVID-19.
The leaked database even had the personal information of an eHAC app user's parents or next of kin, as well as the hotels they will be staying in for their quarantine.
"Had this data been discovered by malicious or criminal hackers, and allowed to accumulate data on more people, the effects could have been devastating on an individual and societal level," wrote vpnMentor.
Learn more about how governments are using the pandemic to violate people's privacy by forcing them to use vaccine tracking apps by reading the latest articles at PrivacyWatch.news.
Sources include: