Indonesia Launches Investigation for Possible Breach on Its COVID-19 Tracing App

  • Researchers found an exposed instance containing the data of the Indonesian COVID-19 tracing app.
  • The number of exposed individuals reached 1.3 million, but the access by hackers hasn’t been confirmed.
  • The data set included very sensitive details on users, staff, and even hospitals and clinics in the country.

The state of Indonesia has launched an urgent investigation to figure out whether or not the database of the official COVID-19 tracing app has been compromised by malicious actors. The app is called ‘Indonesia Health Alert Card’ (eHAC) and it is mandatory for travelers in the country, so a data breach in it would potentially affect a large number of people who were basically obliged to use it by the Ministry of Health in the country.

This action comes after researchers N. Rotem and R. Locar of the vpnMentor team discovered the exposed database and reported the issue to Indonesia’s authorities. The discovery took place on July 15, 2021, but after multiple contact attempts, the researchers were unable to receive an assuring response from anyone responsible. Eventually, and after reaching out to various governmental agencies hoping someone would respond, the database was taken down on August 24, 2021.

This left plenty of time for actors to discover the exposed and unprotected Elasticsearch instance and exfiltrate the data, but whether or not someone has actually done that remains to be seen. The types of data included in the 2GB set are the following:

  • Passenger ID and type (including domestic and international travelers)
  • Hospital ID
  • Queue number while doing this test
  • Reference number
  • Address and time for a home visit
  • Test type (PCR, rapid antigen, etc.), date, and place
  • Test result and date issued
  • eHAC document ID
  • Passenger name and URN ID number
  • URN hospital ID number
  • Passenger details (ID number, full name, mobile phone number, DOB, citizenship job, gender, etc.)
  • Passenger’s national Indonesian ID number (where applicable)
  • Passport and profile photo attached to eHAC account
  • PII data for passenger’s parent(s) or next of kin
  • Passenger’s hotel details (name, address, phone number)
  • Additional passenger photo ID (possibly a placeholder for future use)
  • Details about a person’s eHAC account and when it was created
Source: vpnMentor

There were approximately 1.3 million eHAC user records in the database, so the number of people who are now running the risk of getting scammed, phished, or social engineered is pretty significant. Additionally, the database stored the following details about 226 hospitals and clinics in the country:

  • Hospital details (ID, name, country, license number, address and exact location (with coordinates), phone and WhatsApp number, opening hours)
  • Name of the responsible person for the passenger
  • Name of the passenger’s doctor
  • Hospital capacity
  • Allowed test types in the hospital
  • Information about how many tests were done each day
  • Which type of passengers are allowed in this hospital

The health ministry representative who announced the investigation, Anas Ma’ruf, told users to delete the old app and install the new version that is supposed to be more secure. As the spokesperson further speculated, its data leak may come from a partner, but no further details were provided around that.

How to Watch Joe Pickett Season 2 Online: Stream the Western Crime Drama from Anywhere
Joe Pickett, the series based on characters created by novelist C.J. Box, has a second season coming, and below are all the...
How to Watch Danger Below Deck Online from Anywhere
Are you a die-hard fan of crime dramas? Do you love heart-pounding suspense, gripping tension, and a captivating plot that leaves you...
How to Watch Gods of Tennis Online Free: Stream the Tennis Docuseries from Anywhere
Gods of Tennis is a new documentary series on “the golden age of tennis” in the 1970s and 1980s, and we have...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari