Authorization

Jamaicas JamCOVID pulled offline after third security lapse exposed travelers data

Jamaicas JamCOVID app and website were taken offline late on Thursday following a third security lapse, which exposed quarantine orders on more than half a million travelers to the island.
JamCOVID was set up last year to help the government process travelers arriving on the island. Quarantine orders are issued by the Jamaican Ministry of Health, and instruct travelers to stay in their accommodation for two weeks to prevent the spread of COVID-19.
These orders contain the travelers name and the address of where they are ordered to stay.
But a security researcher told TechCrunch that the quarantine orders were publicly accessible from the JamCOVID website but were not protected with a password. Although the files were accessible from anyones web browser, the researcher asked not to be named for fear of legal repercussions from the Jamaican government.
More than 500,000 quarantine orders were exposed, some dating back to March 2020.
TechCrunch shared these details with the Jamaica Gleaner, which was first to report on the security lapse after the news outlet verified the data spillage with local cybersecurity experts.
Amber Group, which was contracted to build and maintain the JamCOVID coronavirus dashboard and immigration service, pulled the service offline a short time after TechCrunch and the Jamaica Gleaner contacted the company on Thursday evening. JamCOVIDs website was replaced with a holding page that said the site was under maintenance. At the time of publication, the site had returned.
Amber Groups chief executive Dushyant Savadia did not return a request for comment.
Matthew Samuda, a minister in Jamaicas Ministry of National Security, also did not respond to a request for comment or our questions including if the Jamaican government plans to continue its contract or relationship with Amber Group.
This is the third security lapse involving JamCOVID in the past two weeks.
Last week, Amber Group secured an exposed cloud storage server hosted on Amazon Web Services that was left open and public, despite containing more than 70,000 negative COVID-19 lab results and over 425,000 immigration documents authorizing travel to the island. Savadia said in response that there were no further vulnerabilities with the app. Days later, the company fixed a second security lapse after leaving a file containing private keys and passwords for the service on the JamCOVID server.
The Jamaican government has repeatedly defended Amber Group, which says it provided the JamCOVID technology to the government for free.Amber Groups Savadia has previously been quoted as saying that the company built the service in three days.
In a statement on Thursday, Jamaicas prime minister Andrew Holness said JamCOVID continues to be a critical element of the countrys immigration process and that the government was accelerating to migrate the JamCOVID database though specifics were not given.
An earlier version of this report misspelled the Jamaican Gleaner newspaper. We regret the error.

Jamaicas Amber Group fixes second JamCOVID security lapse
See also:
Leave a comment
News
  • Latest
  • Read
  • Commented
Calendar Content
«     2021    »
 1234
567891011
12131415161718
19202122232425
2627282930