2 Data Leaks Reported in Indonesia's COVID-19 Tracking AppsMillions of Indonesian Residents, Including President Widodo, Affected
The personal data of at least 1.3 million Indonesian residents, stored on two government-developed COVID-19 tracking apps, PeduliLindungi and eHAC, has been leaked online, according to security researchers. President Joko Widodo is among those affected.
On Friday, PeduliLindungi became the second COVID-19 tracking app in the country, after eHAC, to have suffered a cyber incident in the span of one week. While the number of people affected by the PeduliLindungi leak has not been ascertained yet, the eHAC breach affected 1.3 million users.
A data search feature in the PeduliLindungi app allows anyone to look up personal data and COVID-19 vaccination information of Indonesian residents, including that of the president, Damar Juniarto, a privacy rights activist who is also the vice president of regional government relations at technology company Gojek, says in a Twitter thread.
Zurich-based cybersecurity researcher Marc Ruef shared the screenshot of a leaked COVID-19 vaccination certificate, which he claims belongs to the president, as it contains his national identification number. But Ruef did not explicitly specify if the data had been leaked from PeduliLindungi.
Another unusual data breach during the COVID-19 pandemic: The vaccination certificate of the President of Republic Indonesia #covid19 #coronavirus #vaccine #breach #leak #darknet pic.twitter.com/hVYCpYeDjf— Marc Ruef (@mruef) September 5, 2021
The PeduliLindungi incident shows how easy it is to find a citizen’s unique national identification number, or NIK, Juniarto tells Information Security Media Group. "This is the reality. Personal data is scattered everywhere," he says.
eHAC Data Breach
The PeduliLindungi incident comes days after another government-run COVID-19 contact-tracing app, the eHAC, was the victim of a data breach. vpnMentor researchers, who discovered the breach, say that developers of eHAC failed to implement adequate data privacy protocols on an open server, which exposed the personal data, travel information, medical records and COVID-19 status of the app's users.
The researchers say they disclosed their findings to Indonesia’s Computer Emergency Response Team on July 22. On Aug. 31, over a month after the disclosure, the Ministry of Communication and Information Technology issued a statement, saying that it would investigate the data breach as mandated by the country’s Electronic Systems and Transactions regulations.
The IT ministry’s preliminary investigations revealed that the data leak occurred in an older version of the eHAC application, which was deactivated on July 2.
Although the government accepted the eHAC data breach and shared a plan of action to analyze and fix the vulnerabilities, it has absolved itself of the PeduliLindungi incident.
The country's Ministry of Communication and Information Technology, known as Kominfo, says that the information related to the president’s NIK and vaccination data did not come from the PeduliLindungi system.
Additionally, the IT ministry does not believe that the health ministry, the National Cyber and Crypto Agency, and the Ministry of Communication and Informatics should be held accountable for the management of data protection and security of the PeduliLindungi system.
The National Cyber and Crypto Agency, it says, is only authorized to implement cybersecurity technical policies and is not responsible for recovering and managing cybersecurity risks for electronic systems.
Following reports of the president’s data being leaked online, Indonesian Minister of Health Budi Gunadi Sadikin claimed that private records of government officials could no longer be accessed by the public.
Presidential spokesperson Fadjroel Rachman told news agency Reuters in a statement, “We [the government] hope that relevant authorities can conduct certain procedures to prevent similar incidents from happening, including the protection of the people's data.”
Cause for Concern
The eHAC data breach is the sixth major cybersecurity incident to hit Indonesia since May 2020. This includes the Tokopedia data leak, which compromised the personal information of 15 million Indonesian users. A cybersecurity incident in Indonesia’s General Election Commission also resulted in the electoral data of 2.3 million Indonesian citizens being put up for sale on dark web marketplace RaidForums.
Such marketplaces are rife with people trading patient data from COVID-19 tracking apps, cybersecurity researcher Ruef tells ISMG.
“Malicious actors may abuse them [the data] for impersonation, phishing, social engineering or extortion attempts. We assume that this will happen much more in the future. Billions of patients worldwide will be affected by such activities,” he explains.
The data on COVID-19 surveillance apps likely contains GPS data, device information and phone media files.
A majority of data breaches in Indonesia affect government-held data, Alia Yofira Karunian, a researcher at the Institute for Policy Research and Advocacy or ELSAM, says in an analysis of the eHAC databases. The government ought to bring in more accountability, she adds.
The government must deliberate the Personal Data Protection Bill with the House of Representatives as soon as possible, ELSAM recommends.