Did Indonesian COVID-19 Track and Trace leak 1.3 million counts of data?

Indonesian authorities are investigating claims that the nation’s COVID-19 track and trace app, electronic Health Alert Card (eHAC), was operating on an open server and that as a result the data of 1.3 million users has been exposed. 

The data included 

Cyber research firm vpnMentor first approached the Indonesian health ministry in July detailing their suspicions about the app. A member of their research team told CNN Indonesia,

"Our team found that eHAC records lacked protocols implemented by application developers. After they investigated the database and confirmed that the data was genuine, we contacted the Indonesian Ministry of Health and presented our findings," 

However, they only received a response on the 22nd of August, after having made a second attempt to alert the authorities by contacting Indonesia’s National Cyber and Encryption Agency. As vpnMentor reports, 

"After several days of no response from the ministry, we contacted the Computer Emergency Response Team and also Google as the eHAC hosting provider. In early August, we did not receive a reply from the relevant ministry or agency. We tried to inform a number of other state agencies, one of which was The National Cyber ​​and Crypto Agency (BSSN) was established to address cybersecurity issues. We contacted them on August 22 and they replied on the same day. Two days later, on August 24, the server was deactivated," 

In response to the claims regarding the suspected security flaw, an Indonesian health minister Anas Ma’ruf held a virtual press conference in which he stated the government was aware of the potential breach and actively investigating the claims. He also assured the public that the potential breach had stemmed from an old iteration of the app, which had not been in use since July, and that the newest iteration was safe to use.  

In actuality, the eHAC version of the app has since been discontinued as a standalone app, instead being integrated into a new app – PeduliLindungi, Officials assured that this app was secure and not liable to the same security concerns as eHAC, and continues to be used by Indonesians to gain access to public places such as malls, as well as tourists who provide COVID vaccination statuses.  

During his virtual press conference, Anas Ma’ruf told the public to delete the old eHAC app from their devices if they still had it, as despite its services being discontinued this was the sole source of the leak and its safety was not “guaranteed” unlike the new PeduliLindungi.  

Data leaks such as this one can serve not just a stern reminder for all governments to ensure that their applications and web development is rigorously tested, but in the context of vaccination and COVID-19 can have a wider impact within the community, deterring users from engaging with the services due to questions about their data’s confidentiality. In turn, this can make it even harder to test and trace, or to enforce COVID passports/passes, raising real humanitarian concerns.