Jamaica’s JamCOVID pulled offline after third security lapse exposed travelers’ data

Jamaica’s JamCOVID pulled offline after third security lapse exposed travelers’ data

Jamaica’s JamCOVID app and website were offline late Thursday night, exposing an order separating more than half a million travelers to the island after a third security breach. The government set up Jamkovid last year to help process travelers arriving on the island. A quarantine order issued by the Jamaican Ministry of Health directing passengers to stay in their homes for two weeks to prevent the spread of COVID-19.

These orders include the name of the traveler and the address where they have ordered to stay. However, a security researcher told TechCrunch that quarantine orders were publicly accessible from the JamCOVID website but not password protected. Although the files were accessible from anyone’s web browser, the researcher said not to name them for fear of legal consequences from the Jamaican government.

Jamaica’s JamCOVID pulled offline after third security lapse exposed travelers’ data

More than 500,000 quarantine orders were unveiled, some starting in March 2020. TechCrunch shared this information with Jamaica Gleaner, who was the first to report on security breaches after verifying the data spillage with cyber security experts. Amber Group, which contracted to create and maintain the JamCOVID coronavirus dashboard and immigration services, TechCrunch and Jamaica Gleaner contacted the agency on Thursday evening shortly after the service pulled offline. JamCOVID’s website replaced by a holding page that said the site was “under maintenance.” At the time of publication, the site was back.

Amber Group chief executive Dushyant Savadia did not return a request for comment. Jamaica’s Minister of National Security Matthew Samuda did not respond to a request for comment or a request for comment – including whether the Jamaican government plans to continue its agreement or relationship with the Amber Group.
This is the third safety issue involving JamCOVID in the last two weeks. Last week, the Amber Group secured an open cloud storage server hosted on the Amazon Web Service, which resulted in more than 70,000 negative COVID-19 lab results and more than 425,000 immigration documents allowed to travel to the island. Savadia responded there were “no more vulnerabilities” with the app. Days later, the company fixed a second security lapse by leaving a file with a private key and password for service on the JamCOVID server.

The Jamaican government has repeatedly defended the Amber Group, saying it provided the government with “free” JamCOVID technology. Savadia of Amber Group quoted earlier as saying that the company had created the service “within three days”. 

In a statement Thursday, Jamaican Prime Minister Andrew Holness said JamCOVID continues to be “a critical element” of the country’s immigration process and that the government is “accelerating” the transfer of the JamCOVID database – although no specific details were given.