New twist to JAMCOVID-19 app data security breachFriday, February 19, 2021
BY JASON CROSS
The Government yesterday said it has initiated a criminal investigation into the data breach of its JAMCOVID-19 application, even as it reiterated confidence in the digital platform, insisting that it has served the Administration well in its management of the novel coronavirus pandemic.
At the same time, the gravity of the breach was highlighted by cybersecurity and web hosting expert Trevor Forrest, who argued that the Government could find itself in a legal pickle, particularly under European law.
“The General Data Protection Regulation (GDPR) — that is the law for the European Union as it relates to how data of European citizens is treated — by its nature has global applicability. It protects European citizens' data wherever it resides. The Government of Jamaica, being the data controller, collected information of European citizens alike. Based on GDPR, a European citizen could say, 'Look, you have advised me that my data has been compromised, and thank you for that, but I am going to take legal action to hold somebody liable for that,' and they can attempt to sue the Government because in this case the Government is data controller,” Forrest told the Jamaica Observer.
“The way GDPR works is, if you are being held accountable as an organisation, the fine amounts to around four per cent of your total revenue. Our total revenue amounts to our consolidated fund and that number is not small. That would make for an interesting court battle, in my view,” he said.
On Wednesday, the Government said that a security vulnerability associated with the file storage service on the JAMCOVID-19 app discovered that day had been rectified.
“A thorough investigation was immediately initiated to determine if there were any breaches in travellers' data security, if the vulnerability had been exploited, and if there was a breach of any laws,” the Government said in a news release.
It said that, while there was no evidence to suggest that the security vulnerability had been exploited for malicious data extraction prior to it being rectified, the Government had, out of an abundance of caution, “contacted travellers whose data may have been subject to the vulnerability and have assured them that steps have been taken to ensure the integrity and the confidentiality of the data”.
The Government said, too, that the systems of the Passport, Immigration and Citizenship Agency were not in any way affected, compromised or exposed by the vulnerability.
It also said that it had commissioned an independent review of the security of the system and the results were expected within 24 hours.
But yesterday, as the Government gathered more detail about the breach, the national security ministry said when a security vulnerability is identified in respect of a government system, the State has a duty to investigate and rectify it.
“Under Jamaican law, we also have a duty to ensure that any unauthorised access to data is investigated and prosecuted. Under section 3 of the Cybercrimes Act, 'any person who knowingly obtains, for himself or another person, unauthorised access to any program or data held in a computer commits an offence'. The matter has therefore been referred to the Communication Forensics and Cybercrime Unit of the Jamaica Constabulary Force and the Major Organised Crime and Anti-Corruption Agency for further investigation,” the security ministry said in a news release.
The application, developed through a public private partnership with Amber Group Limited, provides the latest data and statistics related to COVID-19 in Jamaica and other countries around the world. It allows citizens to self-report their health status, book an appointment for testing if they are exhibiting symptoms of COVID-19, as well as request emergency services such as the police or ambulance services.
The system was donated free of cost to the Government.
Attempts yesterday to get a response from Amber were not successful.
At the same time, Forrest, a former chairman of Spectrum Management Authority, suggested that people who may have had their data compromised should start changing their passwords, implementing two-step verification, and being more aware of strange e-mail that possibly were sent by hackers for phishing purposes.
“It is a very sticky situation, messy if you ask me,” he said. “European citizens can try and sue Government and Government ought to be able to hold Amber responsible financially, but there were no exchange of funds.”
He said the Government must now determine if personal data may have been stolen or downloaded, and pointed to the possibility of a loss in tourism earnings.
“Because it is a requirement to provide this information during the COVID for people to come here, people are going to be reluctant to give this information, which would mean they cannot come,” he said.
“This thing came out in TechCrunch, which is a well-known industry magazine. A whole heap of people are going to be aware of it. It will have some indirect effects that the Government needs to be cognisant of, because it could have some small to medium-sized economic impact. Sometimes people overlook these things,” Forrest argued.
After news of the breach emerged, a recent traveller shared his concern with the Observer.
“I can understand why people would panic because your passport information, your full name is in there, and your address where you are staying. Your COVID test results are there. You can basically clone my identity. It is very concerning. Even if there is facial recognition, skilled people can recreate a face because it is there in the app,” he said.
Now you can read the Jamaica Observer ePaper anytime, anywhere. The Jamaica Observer ePaper is available to you at home or at work, and is the same edition as the printed copy available at https://bit.ly/epaper-login