Millions Of Indonesians Personal Information Leaked Over a Data Breach – E Hacking News
In their COVID-19 test-and-trace application, Indonesia investigated a probable security vulnerability that left 1.3 million individuals’ data and health status exposed.
On Friday 3rd of September, following a week-long cyber-attack, PeduliLindungi became the country’s second COVID-19 tracking app following eHAC to suffer a data breach. The PeduliLindungi leak has not been identified yet, but the eHAC violation has impacted 1.3 million users. These 2 data breaches occurred in succession within a week.
The eHAC Data Breach
According to a Health Ministery official, the government is suspecting its partner as the likely source of infringement in the eHAC app ( electronic health alert card), which has been disabled since July 02.
The EHAC is a necessary prerequisite for travelers entering Indonesia, which was launched this year. It maintains the records of the health condition of users, personal information, contact information, COVID-19 test results, and many others.
Researchers from the vpnMentor encryption provider who perform a web mapping operation have discovered a breach to detect unauthorized data stores with confidential material.
On 22nd July, researchers informed Indonesia’s Emergency Response Team and have revealed their conclusions. The Ministry of Communications and Information Technology published a statement on August 31, more than one month after the disclosure, which stated that the data violation would be investigated according to the Electronic Systems and Transactions Regulations of the country.
Anas Ma’ruf, a health ministry official said, “The eHAC from the old version is different from the eHAC system that is a part of the new app”. “Right now, we’re investigating this suspected breach”.
A data search function on the PeduliLindungi-application enables anybody to search for personal data and information on COVID-19 vaccination for Indonesians, including that from the president, Damar Juniarto, a privacy rights activist who also is the vice president of regional government relations at technology firm Gojek, as per a Twitter thread.
Zurich-based cybersecurity analyst Marc Ruef has shared a screenshot with the President of a compromised COVID-19 vaccination certificate, as it includes his national identity number. However, Ruef did not specifically mention whether PeduliLindungi’s data was disclosed.
All this explicates that personal identification data and confidential information is scattered everywhere.
While the Government admitted the breach of the eHAC data and presented a plan of action for the analysis and restoration of flaws, PeduliLindungi has been exonerated.
The Ministery of Communications and Information Technology of the state, called Kominfo, states that the data on the president’s NIK and vaccination records did not originate in the database of PeduliLindungi.
Experts claim such data violations highlight the inadequate cyber security architecture in Indonesia. In May, the officials also conducted a survey on the alleged violation by the state insurer of the country of social security data.