Indonesian authorities probe million-record leak from national COVID app
Someone didn't secure an Elasticsearch database, researchers allege
Indonesia's Ministry of Communications and Informatics is investigating a leak of over a million records from the nation's COVID-19 quarantine management app.
News of the leak was revealed on August 30th by security review site vpnMentor, which wrote that its research team discovered exposed databases generated by eHAC, an app that is mandatory for use by travellers moving into and out of Indonesia, or within its borders.
vpnMentor says its researchers found the data by using "large-scale web scanners to search for unsecured data stores containing information that shouldn't be exposed".
The eHAC data was "completely unsecured and unencrypted," and when accessing it – using just a browser – the firm's researchers were able to "manipulate the URL search criteria into exposing schemata from a single index at any time".
The site's researchers wrote that they were able to access personally identifiable information, travel information, medical records, and COVID-19 status. Some records included national identity numbers. Others named hospital staff who worked with eHAC users – across 226 hospitals.
eHAC users in government also had their personal information exposed.
The Ministry acknowledged allegations of the leak, and stated that it and the Ministry of Health have opened an investigation.
- Tencent Cloud opens first Indonesian data center
- Please stop leaking your own personal data online, Indonesia's COVID-19 taskforce tells citizens
- Imagine Amazon, Uber and PayPal merging. Indonesia's rough equivalents are probably doing it
Local media suggest a Health Ministry official has advised users to upgrade to a more recent version of eHAC, as the leak only impacts a version of the app that was discontinued in early July 2021. That advice has been interpreted as acknowledgement that older versions of the app employed problematic security controls.
vpnMentor warns of all sorts of unpleasant things that could befall those whose personally identifiable information was exposed in the leak. Happily, there's no indication the exposed trove has been accessed or abused. Yet.
The leak is Indonesia's second health data mess in recent months, after the May 2021 information breach at the national health insurance scheme. ®