A failure by the Amber Group that was contracted by the Jamaican government recently resulted in a data breach with the potential of affecting hundreds of thousands of visitors to Jamaica. The data was available to anyone with Internet access through a website and app developed by the Amber Group. The company was engaged by the Jamaican government to build its multi-functional JamCOVID 19 website and app.
The Jamaican government utilizes both for publishing daily COVID-19 pandemic numbers and enables individuals to self-report symptoms. As part of the functionality, the website allows visitors to upload negative test results for pre-approval before boarding their flights from other countries. The breach occurred when a cloud-based server was left unprotected with no password. Here’s what individuals need to know about the breach.
1. Amber Group’s affected storage server was hosted by Amazon Web Services and was set to public.
2. It’s unknown how long the server was left unsecured.
3. Most of the information that was exposed belonged to those from the U.S.
4. Information exposed dated from June 2020, when the island reopened after the first pandemic wave, to the present.
5. Files on the server comprised over 70,000 negative COVID-19 tests, more than 425,000 immigration documents, and files containing visitors’ names, date of birth, and passport numbers. Files contained 250,000 quarantine orders, along with images of over 440,000 visitor signatures.
6. Check-in videos from the Amber Group app were exposed that enables the Jamaican government to track individuals within the “resilient zone,” thereby enabling the Ministry of Health to ensure that individuals stay within those zones. The app requires visitors to record check-in videos that contain their name and symptoms. During the breach, over 1.1 million of those videos were exposed.
7. TechCrunch discovered the breach on Feb. 17, 2021 while performing an investigation and review of COVID-19 apps. The publication immediately contacted Dushyant Savadia, Amber Group’s CEO, who declined to comment at first.
Jamaican Ministry of Health spokesperson, Stephen Davidson, declined to comment or indicate if those affected by the breach would be notified. A later statement by the Jamaican government said no evidence existed that the vulnerability had been exploited in the “alleged breach” and no evidence suggested the security lapse had been exploited for malicious data extraction. The government later said anyone affected by the security vulnerability would be notified.
Amber Group called it an isolated incident, the comment coming four days after the vulnerability was detected. Jamaican Senator Matthew Samuda in the security ministry said “just under 700” people were affected.
Amber Group is now under scrutiny into its business practices, security measures and the CEO’s experience and training in cybersecurity technology administration. The company has won contracts and partnerships with numerous governments and private-sector companies around the globe. The Jamaican government is also facing tough questions about transparency, when it was notified about the breach, and the time lapse for the entity to make that knowledge public. A criminal investigation is ongoing.
Photo source: Deposit Photos