Background

Just over a week ago, the renowned online technology news site TechCrunch, released a shocking article revealing a major security failure that resulted in the possible exposure of the private information for thousands of travellers to Jamaica. Within a week of the first vulnerability being exposed, TechCrunch uncovered not one but two additional security vulnerabilities which led to the website finally being offline.

Based on the initial published report, the JamCovid App and website which is used (i) to pre-approve travellers to the country, (ii) to facilitate self-reporting of Covid19 symptoms and (iii) to aggregate and publish periodic Covid19 statistics for the Ministry of Health, was built and developed by the Amber Group for the benefit of the Jamaican government.

The type of data collected by the JamCovid App appears to be:

  1. Names
  2. Emails
  3. Phone Number
  4. Addresses
  5. Passport Numbers
  6. Dates of Birth
  7. Nationality
  8. Name of Employers
  9. Job Title/Position
  10.  Photographs
  11.  Flight information
    • Airline
    • Date of arrival
    • Date of departure
    • Flight Number
    • Port of Disembarkment
  12. Cookies and Usage Data
  13. Health Information including temperature readings and symptoms submitted by travellers and self-reporters
  14. Travel Authorization Reference Numbers
  15. Geo-Location Information

And based on the TechCrunch article, also included:

  1. Images of Traveler’s signatures; and
  2. Lab results
  3. Quarantine Orders

Source of information: Screenshots from the JamCovid App and The JamCovid Privacy Policy

According to the first report published by Zack Whittaker of TechCrunch a storage server, hosted on Amazon Web Services which stored uploaded documents and information, was set to public.

The Vulnerability In Perspective- A Technical Summary

The “storage server” referenced by TechCrunch is an Amazon Simple Storage Service (Amazon S3) bucket. Amazon S3 is a cloud based service that provides object storage, which is built for storing and recovering any amount of information or data from anywhere over the internet. The Amazon S3 storage can be used via a user friendly web interface or a well documented Amazon S3 REST API

Think of the Amazon S3 service as a suitcase that you need to pack before you travel. The suitcase in this case is the “bucket” and each of the items you put in your suitcase will be called an “object”.  When using the Amazon S3 service a bucket must first be created with specific permissions before you can start using it to store data in the form of objects.  In this case the bucket was set to “public” which means anyone in the world can access data/objects stored in this bucket. This major oversight would be akin to creating a suitcase that has no zippers to secure the items in your suitcase while you travel. 

Web Interface Showing How Easy To Configure Permissions on AWS S3

Web Interface Showing Warnings When Configured as Public Access

The second reported security vulnerability revealed that private keys and passwords for the JamCOVID app and website were exposed through a file that had been left open and accessible on the website. Again, based on TechCrunch’s report, the third security lapse dealt with quarantine orders being publicly accessible from the JamCOVID website as they were also not protected with a password.

But …. Was There a Breach?

Based on all accounts, TechCrunch, through its very public incident report, merely brought the government and their contractor’s attention to the security vulnerabilities and possible data exposure. There is currently no indication that the data was downloaded, stored or processed by any unauthorized person. The Ministry of National Security also released a statement stating that they found no evidence that the vulnerabilities were exploited for malicious data extraction:

The issue is that finding evidence that there was no breach of data, does not indicate that a breach did not indeed occur.

The Amazon S3 service allows developers to enable logging on all buckets created and as such the Amber Group and its developers would have the ability to see whether the exposed server was accessed through logs, if logging was enabled. 

See the guide from AWS to Enabling Amazon S3 server access logging at https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html

Settings under AWS S3 Bucket To Enable Logging

Having server access logging enabled could indicate how many times and from which IP addresses the data was accessed. Unfortunately it is unclear whether the Amber Group had logging enabled. If it didn’t, it would therefore be difficult, if not impossible to conclusively indicate whether a  breach did in fact occur and how many times the data may have been accessed, downloaded or otherwise processed by unauthorized persons. The fact remains – the Amazon S3 bucket used to store the JamCovid data was public and could have been accessed by nefarious individuals because it was configured irresponsibly to “public”.

What about the Travellers/Data Subjects?

Notwithstanding the absence of evidence of a breach, it is clear that the data subjects right to transparency should effectively grant data subjects the right to be notified of any major operational failure that puts the data subjects’ personal information at risk of exploitation. Implicit in this right to transparency is the right that data subjects are owed to mitigate any loss or damage which may result from the failure of the Amber Group and by extension the GoJ to properly and securely handle their data.

While no data breach has been reported or confirmed, it is clear that personal data was being processed and  at the very least, the government should have adhered to their own data protection standards set out in the Data Privacy Act of 2020 (inspired by industry standards set out in the GDPR).

Global Implications?

Furthermore, the multiple security vulnerabilities reported by TechCrunch in the span of 8 days may have major implications for Jamaica, our businesses and technology locally and internationally.

The inelegant technical management of the JamCovid App by the Amber Group and the way in which this security incident is handled may have long-term effects on the development of our digital economy. Under the GDPR international data transfers are regulated such that, where a company in Jamaica seeks to do business with a company within the European Economic Area; any transfer of personal data from the EU to Jamaica will be subject to one of  three conditions, the broadest being that Jamaica has met  “an adequate level of protection for personal data as determined by the European Commission”. Needless to say, presently Jamaica does not meet that criteria and has not (to the best of my knowledge) been earmarked as one of the countries that ensures an adequate level of protection for personal data. Arguably, two weeks ago we were closer to reaching that mark. With last year’s passing of the Data Protection Act, we were closer to demonstrating adequacy through the implementation of data protection legislation and regulation that meet the GDPR’s standards. In the wake of this ongoing security issue with the JamCovidApp, this can be seen as precedent. In a very public way, the AmberGroup has now demonstrated that despite a lack of proper cyber security safeguards and a failure to implement proper data protection guidelines and best practices; the rights of data subjects are not being prioritised or recognised.

To meet the GDPR's requirement for adequacy, local businesses and companies will therefore have to continue to build & maintain their own strict self-regulated safeguards that afford data subjects with legal remedies; or fit within very specific situations to fit the criteria for conducting trans-border data transfers with the EU.

The Amber Group

If the content of the TechCrunch articles are to be accepted as true, it is clear that the AmberGroup has failed to perform and respond adequately on several fronts:

  1. No evidence of the conducting a thorough Data Privacy Impact Assessment prior to the deployment of the App or thereafter.
  2. No evidence of the conducting a thorough IT Security Assessment prior to the deployment of the App or thereafter.
  3. No clarity on the number of affected data subjects and lack of evidence on the proper notification of data subjects.
  4. An outdated privacy policy which showcases the date of drafting as “2018”, two years prior to the development and deployment of the application and website (In case of removal see screenshot in gallery above).
  5. No evidence that a Data Breach Incident Plan was in place.
  6. A reactionary approach to securing information and protecting personal data; as opposed to the proactive approach of engineering a program that incorporates privacy by design.

Conclusion

No system is 100% secure. Investing in all the cyber-security and data privacy resources on earth cannot prevent any application or website from having vulnerabilities. What is important is ensuring that data controllers and data processors work proactively to embed security and privacy into every step of the design, engineering, development deployment and operation of IT systems, networked infrastructures, and business practices.

Errors and oversight can happen, however, data controllers (and processors) must work actively to create a framework that fundamentally respects the rights of data subject and effectively manages data privacy and security at all levels. This requires creating a framework that meets legal compliance requirements while meeting the expectations of business clients/customers and simultaneously reducing the risk of security incidents and data breaches.

At all levels, staff and contractor needs to be adequately informed on the organisation's security practices and privacy policies, with constant monitoring of activities to control, manage and report any risks and vulnerabilities associated with security and privacy management. Incident reports, such as those provided by TechCrunch, are not attacks, but an opportunity to mitigate risk and build a more robust infrastructure and system. Having a clear plan to respond to unfortunate public events and incidents is core and critical to effective data privacy management.

“If you fail to plan, you are planning to fail".

Benjamin Franklin

Share this: