Amber Group founder and CEO Dushyant Savadia yesterday issued a strong defence of his company's work and said he is exploring legal options, as he deems defamatory recent reports in mainstream and social media relating to the Jamcovid application and website that the firm gifted to the Government to help manage the novel coronavirus pandemic.
Savadia also described as deeply concerning a report of a second vulnerability in the app, saying that the file referenced has no personal data of people who used the feature.
“The exposed .env file (ie environmental file) that is being described as a second vulnerability is a file that contains expired information, along with links that had been previously made redundant,” Savadia said in a statement.
“These files do not contain any personal information from Jamcovid-19 users, nor do they enable access to such information. Login information is further protected with multi-factor authentication to prevent access to these sites. If you look at the file that was referenced, the database URL and credentials were already rectified last week,” he added.
“Amber stands behind its work and contributions to Jamaica in the fight against the pandemic. We continue to cooperate fully with the investigation by the authorities,” Savadia said.
Amber, developer of the Jamcovid application and website which travellers use to enter personal data as they seek clearance to land in Jamaica, has been under scrutiny since last Wednesday when United States-based technology magazine TechCrunch reported vulnerabilities in the app which, the magazine said, allowed files with sensitive data to be left unprotected.
Following the report, the Government moved to calm fears, saying it had fixed the problem, which had exposed the data of over 400,000 visitors to the island.
“A thorough investigation was immediately initiated to determine if there were any breaches in travellers' data security, if the vulnerability had been exploited, and if there was a breach of any laws,” the Government had said in a news release.
It also said that, while there was no evidence to suggest that the security vulnerability had been exploited for malicious data extraction prior to it being rectified, the Government had, out of an abundance of caution, “contacted travellers whose data may have been subject to the vulnerability and have assured them that steps have been taken to ensure the integrity and the confidentiality of the data”.
The Government said, too, that the systems of the Passport, Immigration and Citizenship Agency were not in any way affected, compromised or exposed by the vulnerability.
Additionally, it said that it had commissioned an independent review of the security of the system and the results were expected within 24 hours.
Last Thursday, the national security ministry said it had initiated a criminal investigation into the matter, stating that when a security vulnerability is identified in respect of a government system, the State has a duty to investigate and rectify it.
“Under Jamaican law, we also have a duty to ensure that any unauthorised access to data is investigated and prosecuted. Under section 3 of the Cybercrimes Act, 'any person who knowingly obtains, for himself or another person, unauthorised access to any program or data held in a computer commits an offence'. The matter has therefore been referred to the Communication Forensics and Cybercrime Unit of the Jamaica Constabulary Force and the Major Organised Crime and Anti-Corruption Agency for further investigation,” the security ministry said in a news release.
On Monday this week, TechCrunch published an article claiming that there was a second vulnerability in the app.
Yesterday, Savadia assured the public that Amber continues its work to mitigate against cyber-attacks, hacking and mischievous players seeking to disrupt and interfere, including the recent occurrences, with a system designed to facilitate safe re-entry into Jamaica.
He also reminded that the Jamcovid system was developed to meet an urgent need to facilitate entry into Jamaica, and that the comprehensive system was built over a 10-month period.
Yesterday as well, the Ministry of National Security moved to assure users of the app that a comprehensive review of all aspects of the site, application and associated databases is being conducted with changes to come with further strengthening of all security features.
The ministry said the previously announced criminal investigation and increased monitoring have not revealed any evidence that vulnerabilities identified were exploited for malicious extraction or leakage prior to the security breaches being rectified and encouraged the public to refrain from speculating on the sensitive issue.
Yesterday morning, Opposition Leader Mark Golding demanded that the Government provide exact details of its agreement with Amber Group for the development and implementation of the application and website.
During a People's National Party (PNP) press conference, Golding told the Jamaica Observer that questions such as who owns the data for the over 400,000 travellers to the island must be answered.
“We would like to see the contract made public and tabled in Parliament. We want to know what guarantees and indemnities are in that contract and what compensation is there for the person operating the app,” Golding said.
“Maybe the three-day development process we were told about was free, but are they being remunerated for operating the app or not? Who owns the data on that app that was put up on the portal? These are important issues that the public has a strong interest in knowing. It is very unfortunate that this has happened,” Golding said.
He questioned the move by the national security ministry to launch a criminal investigation into the matter and said, “The TechCrunch journalist who brought this to the public's attention has done a great service to enable the thing to be fixed before cyber thieves access and steal the data to use it. We do not know what is being done to warn people that their information may have been compromised. We were told by Minister Matthew Samuda that 700 people had been contacted, but the truth is that many thousands of visitors and Jamaicans have used that app.”
Opposition spokesman on science, technology and commerce Hugh Graham chided the Government for providing very few answers to what he said were mounting questions regarding the security vulnerability. He, too, demanded to see a copy of the contract between the Government and Amber Group.
“What does the contract look like? Persons are saying we should bring solutions and suggestions, but without knowing the terms of the contract it is very difficult to say what suggestions we would be bringing forward. There are questions surrounding the authentication of the app, the security of the app, and who approved the app to make sure that it was protected and that the people's data was protected. There aren't any answers coming,” he said, accusing the Minister of Science, Energy and Technology Daryl Vaz of being “very quiet” on the issue.