An independent report has revealed a data breach in the Indonesian government's COVID-19 test-and-trace mobile app, potentially affecting records of around 1.3 million users. 

Launched this year, the electronic Health Alert Card (eHAC) is a mandatory requirement for travellers entering Indonesia. It stores users' health status, personal data, contact details, COVID-19 test results, among others.

The leak was detected by researchers from encryption provider vpnMentor who are conducting a web mapping activity to spot unsecured data stores containing sensitive information.

FINDINGS

In a report, vpnMentor said the developers were using an unsecured database to store around 2 gigabytes of records from millions of app users. According to the researchers, they were able to access via browser the Elasticsearch database, which is usually not designed for URL use.

"These records didn’t just expose the users. This data leak exposed the entire infrastructure around eHAC, including private records from hospitals and Indonesian officials using the app," the report read.

Once the researchers were able to detect the exposed database, they first contacted the health ministry and the Indonesia Computer Emergency Response Team, but to no avail. They only received a response from the National Cyber and Encryption Agency who have taken down the server on 24 August. 

WHY IT MATTERS

The report found that the app's developer failed to put up "adequate" data privacy protocols, leaving the data of over a million users exposed on an open server. Experts from vpnMentor said the unprotected data can be used for fraud, phishing or hacking and disinformation campaigns. 

Ultimately, they advised the developers to set up some basic security measures, such as server security and implementation of proper access rules.

According to a Reuters news report, the Indonesian government is already investigating the incident, which occurred in the earlier version of the eHAC app that has not been in use since July. 

Anas Ma'ruf, a health ministry official, said the previous version is different from the eHAC system that is now part of the Peduli Lindungi (Care Protect) app, which is being used for contact tracing purposes. 

Still, the health ministry has advised citizens to delete the old app on their mobile devices.

Without giving further details, the authorities are suspecting that the data breach might have happened on a third party's system.

THE LARGER TREND

In May, social security data of around 100,000 Indonesians were found being sold through a hacking forum. The data were supposedly leaked from state insurer BPJS Kesehatan and included information on families and payment status. 

Just weeks ago, a private eye clinic in Singapore disclosed that it was hit by a ransomware attack earlier in the month. The incident on Eye & Retina Surgeon's clinic server and management system affected records of over 73,000 patients.