eHAC App Data Breach Allegedly Exposes Over 1 Million People

TEMPO.CO, Jakarta - A recent report by vpnMentor researchers, Noam Rotem and Ran Locar, suggests there is a data breach against the Indonesian Health Ministry’s electronic health alert card or eHAC, leaving the personal data of 1.3 million Indonesians exposed. The eHAC program was created to tackle the Covid-19 pandemic spread.

They concluded on their website on August 30 that “The app developers failed to implement adequate data privacy protocols and left the data of over 1 million people exposed on an open server.” 

The data breach summary from the report entitled “Indonesian Government’s Covid-19 App Accidentally Exposes Over 1 Million People in Massive Data Leak” also reveals that there were 2 gigabytes of data leaked. 

The types of data that are potentially exposed range from  Passenger Personally identifiable information (PII) data; travel information; medical records; and COVID-19 status. 

The researchers claim to have contacted the Indonesian Health Ministry in July 21, 2021,  but to no avail and instead contacted the The Indonesia Computer Emergency Response Team (ID-CERT) and Google.

They eventually contacted the National Cyber and Encryption Agency (BSSN) on August 22 and received a response the same day. On August 24 the BSSN immediately acted upon the report and was followed by a press conference on Tuesday, August 31, by the Health Ministry about the alleged data breach on the eHAC and PeduliLindungi Covid-19 tracing app. 

Read: BRI Life Data Breach Proves Lack of Regulatory Protection, Says ICT Director

FAJAR PEBRIANTO