- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
- Threads will show you more from accounts you follow now - like Bluesky already does
- OpenAI updates GPT-4o, reclaiming its crown for best AI model
- Nile unwraps NaaS security features for enterprise customers
Indonesians Told to Delete Unsecured Tracing App
The Indonesian government is exhorting the public to delete a COVID-19 test and trace app that left users’ personal information exposed on an unsecured server.
The data breach in the Indonesian government’s electronic Health Alert Card (eHAC) program was discovered by a research team at vpnMentor led by Noam Rotem and Ran Locar.
The program and the eHAC app were created in 2021 to monitor the coronavirus infection status of people entering the country. Obtaining an eHAC was mandatory for any traveler, including native Indonesians, when entering the Republic from overseas or taking a domestic flight within Indonesia.
Researchers discovered that the app’s developers “failed to implement adequate data privacy protocols and left the data of over 1 million people exposed on an open server.”
In total, 2GB of data belonging to the Republic’s Ministry of Health were exposed on an Elasticsearch server. Researchers said the data included more than 1.4 million records and that approximately 1.3 million individuals had been impacted.
Information left unsecured included Personal Identifiable Information (PII), medical records, contact details, travel information, and COVID-19 infection status.
Researchers noted: “Had the data been discovered by malicious or criminal hackers, and allowed to accumulate data on more people, the effects could have been devastating on an individual and societal level.”
The database of unprotected records was discovered by researchers on July 15. It was reported to the Ministry of Health on July 21 and to the Indonesian Computer Emergency Response Team (ID-CERT) on July 22.
“Our team discovered eHAC’s records with zero obstacles, due to the lack of protocols put in place by the app’s developers,” wrote researchers in a blog post detailing the leak.
“Once they investigated the database and confirmed the records were authentic, we contacted the Indonesian Ministry of Health and presented our findings.”
Despite twice flagging the open database to the Indonesian government and CERT, the researchers only received a response about the security incident in August after contacting Indonesia’s National Cyber and Encryption Agency (BSSN), which shut down the server on August 24.
The eHAC app has now been integrated into a new app called PeduliLindungi. However, the Health Ministry, which publicly responded to the research findings earlier today, urged eHAC users to delete the app as a precaution.
