The incident took place after the Elasticsearch server used by eHAC developers exposed the data due to misconfiguration.
According to Indonesian health ministry official Anas Ma’ruf, the country’s COVID-19 test and trace application had an inherent security flaw due to which the personal information and health status of around 1.3 million individuals got exposed.
Ma’ruf, who is responsible for supervising the data, further explained that the government is investigating the potential breach.
Previous version of the app impacted
The Health Ministry official admitted that the flaw was identified in an earlier version of the app and that the app hasn’t been updated since July 2021. The new eHAC system that’s included the latest version is different from the older version, Ma’ruf said.
This system is now part of the Peduli Lindungi/Care Protect app, and the government has updated it to meet miscellaneous tracing requirements, such as mall entries.
Immediately upgrade to the new version
Anas Ma’ruf urged users to immediately delete the old version of the app because the breach could have been generated from a partner while the government manages the new eHAC system. Hence, it is much safer than the older version.
2GB Data Could be Exposed
On the other hand, VpnMentor’s research team, led by Noam Rotem and Ran Locar, revealed that the Indonesia Health Alert Card/eHAC app was used frequently by travelers.
According to the team, the app’s data was exposed due to a lack of protocols in place, for which the app’s developers are to be blamed who were hosting a treasure trove of data on a misconfigured Elasticsearch server.
Example of exposed records:
According to vpnMentor’s blog post, the exposed data included:
- URN hospital ID number
- Passenger name and URN (Update Request Number) ID number
- Hospital details (ID, name, country, license number, address and exact location (with coordinates), phone and WhatsApp number, opening hours)
- Name of the responsible person for the passenger
- Name of the passenger’s doctor
- Hospital capacity
- Allowed test types in the hospital
- Information about how many tests were done each day
- Which type of passengers are allowed in this hospital.
VpnMentor researchers discovered the database on 15th July 2021 and notified Indonesian Health Ministry almost immediately after verifying the data.
“Our team discovered eHAC’s records with zero obstacles, due to the lack of protocols put in place by the app’s developers. Once they investigated the database and confirmed the records were authentic, we contacted the Indonesian Ministry of Health and presented our findings.
It is worth noting that the incident has exposed people to hacking, phishing, and other attacks, therefore, Indonesian government officials are urging users to delete the app and install the Pedulilindungi app which is also the official COVID-19 contact tracing app used for digital contact tracing in Indonesia.