TechCrunch published an article on February 17, 2021 about Jamaica’s immigration website exposing thousands of travellers’ data. Here’s a summary:
- A security lapse by a Jamaican government contractor, Amber Group, exposed immigration records and COVID-19 results for hundreds of thousands of travellers who visited the island over the past year.
- Amber Group built the JamCOVID19 website and app which the government uses to publish daily coronavirus figures and allows residents to self-report their symptoms.
- A cloud storage server was left unprotected, without a password and publicly spilt out files onto the open web. TechCrunch discovered the exposure as part of a separate investigation into COVID-19 apps and contacted Amber Group’s chief executive Dushyant Savadia who refrained from commenting before publication.
- The storage server, hosted on Amazon Web Services was set to public and contained more than 70,000 negative COVID-19 lab results and 425,000 immigration documents authorizing travel to the island.
- The server exposed more than 1.1 million daily update check-in videos and contained a timestamped spreadsheet named “PICA”.
- After publication, the Jamaican government issued a statement confirming the vulnerability. According to a report, Amber’s Savadia said the company developed the JamCOVID19 within three days and made it available to the Jamaican government mostly for free. Savadia would not say what measures Amber Group had put in place to protect the data of paying governments.
Source: techcrunch.com
Contributed by Racquel Bailey from Jamaica. Racquel is a member of our Women in InfoSec Caribbean (WISC) initiative on Discord. WISC is a non-profit initiative supporting Caribbean women and girls to develop a career in Information Security.
Learn more about WISC at wiscaribbean.org.