The state of Indonesia has launched an urgent investigation to figure out whether or not the database of the official COVID-19 tracing app has been compromised by malicious actors. The app is called ‘Indonesia Health Alert Card’ (eHAC) and it is mandatory for travelers in the country, so a data breach in it would potentially affect a large number of people who were basically obliged to use it by the Ministry of Health in the country.
This action comes after researchers N. Rotem and R. Locar of the vpnMentor team discovered the exposed database and reported the issue to Indonesia’s authorities. The discovery took place on July 15, 2021, but after multiple contact attempts, the researchers were unable to receive an assuring response from anyone responsible. Eventually, and after reaching out to various governmental agencies hoping someone would respond, the database was taken down on August 24, 2021.
This left plenty of time for actors to discover the exposed and unprotected Elasticsearch instance and exfiltrate the data, but whether or not someone has actually done that remains to be seen. The types of data included in the 2GB set are the following:
There were approximately 1.3 million eHAC user records in the database, so the number of people who are now running the risk of getting scammed, phished, or social engineered is pretty significant. Additionally, the database stored the following details about 226 hospitals and clinics in the country:
The health ministry representative who announced the investigation, Anas Ma’ruf, told users to delete the old app and install the new version that is supposed to be more secure. As the spokesperson further speculated, its data leak may come from a partner, but no further details were provided around that.