KINGSTON, Jamaica — Government investigations so far have found that while there is evidence of unauthorised access to the JamCOVID application, “there is no evidence of data exfiltration”.

However, the Office of the Prime Minister (OPM) said in a statement, the probe by a multi-agency cyber analysis team is ongoing, and the public will be advised further as the investigation progresses.

The investigations and assessments are concurrently focused on two streams -- the level of compliance of the security architecture and configuration of the application and related databases with established standards and best practices; and the possible activities of any malicious actors in either creating or exploiting any vulnerabilities in the security architecture and configuration and whether such exploitation resulted in data exfiltration.

While the investigation continues, the Government is accelerating plans that were already underway to migrate the JamCOVID database, the statement said.

“The cyber analysis team has undertaken a comprehensive review of security of the application and related databases and, in conjunction with the developer, significantly hardened the security of the system.  The JamCOVID application continues to be a critical element of our controlled entry programme and has served us well in our management of the pandemic. We wish to reassure the public that the JamCOVID application is safe for use.”

It added: “While we acknowledge that there may be persons acting without malicious intent, Jamaican law requires that all instances of unauthorised access be investigated and, in fact, this would be the only way we could determine whether the access was malicious or not.  The authorities have reached out to our overseas law enforcement partners for support.”

In chairing the monthly National Security Council meeting today, Prime Minister Andrew Holness is said to have received a comprehensive update on Jamaica's cyber architecture and a specific report on matters related to the JamCOVID application. 

Among the main points of discussion were the steps being taken to build a robust governance framework and infrastructure for cybersecurity embedded in Plan Secure Jamaica.

The statement said already, the multi-agency cyber analysis team, including eGov, the Cyber Incident Response Team of the Ministry of Science, Energy and Technology, Major Organized Crime and Anti-Corruption Agency, and Communications Forensics and Cybercrimes Division of the Jamaica Constabulary Force, is in place and conducting critical assessments of the existing cyber landscape. 

Meanwhile, the Government is undertaking a comprehensive review of security on all Government websites and networks to ensure compliance with international standards and best practices.

This process is underway with 162 website reviews completed and another 100 in progress to date. Any credible vulnerabilities that are identified are concurrently being rectified, the OPM said.

The Government said it wishes to assure the public that it is sensitive to the legitimate fears and concerns around data privacy and protection and is committed to pursuing a comprehensive approach to system-wide strengthening of [processes] as we move towards the creation of a digital society.

 Holness has also directed that the plans for building cyber resilience in Jamaica be accelerated, including bringing the new National Cybersecurity Strategy to Cabinet in the second quarter of the upcoming fiscal year; launching a new Cyber Academy; and intensifying cross-agency cooperation.

“It has been assessed that over the past few weeks there have been increasing instances of malicious cyber activity directed at both Government and private entities. We therefore urge the public to exercise greater care and vigilance through being on the lookout for phishing scams, properly securing and changing passwords, etc,” the OPM said.

“Cyber threats are real, we see that daily not only in Jamaica but in all countries. No one is immune.  The most secure systems in the world have had security issues which have required remediation and strengthening.  As a society, we have to recognise that these threats represent an inherent risk in the new digital world.  Ultimately, this risk cannot be completely eliminated. Digital technology works because it is open, and that openness brings with it risks. What we can do is build our capacity to address and mitigate the risks.”