This week, news came to light that the website and application that the Government of Jamaica has been using to manage the immigration records and COVID-19 test results of residents and visitors to the island, had been severely compromised. Although the security failure has been remedied, several questions still linger.
The Jamaican tech and business communities have been in an uproar over the past few days, following the publication of an article by TechCrunch, on 17 February which reported that the data for thousands of travellers to Jamaica has been exposed on the country’s immigration site. The report, which seemed to have been based on first-hand investigations conducted by TechCrunch, found that documents and data uploaded to the country’s JamCOVID19 website and app and stored in the cloud, “was left unprotected and without a password, and was publicly spilling out files onto the open web”.
The article further noted that the storage server, which is hosted on Amazon Web Services and at the time, had its access privileges set so that anyone with Internet connectivity could access the stored records, contained the following:
- over 70,000 negative COVID-19 lab results
- over 425,000 immigration documents authorizing travel to the island, including the traveller’s name, date of birth and passport numbers
- over 250,000 quarantine orders dating back to June 2020
- more than 440,000 images of travellers’ signatures.
The JamCOVID19 website and app was built for the Government by Amber Group, a company that has been growing in popularity, thanks to Amber Connect, its vehicle-tracking system, and building a widely-used bill payment app for the incumbent electricity provider. More recently, it launched the Amber HEART Academy, a new school for coding, which garnered much political praise (Source: Loop Jamaica).
According to the Jamaica Information Service (JIS), the breach was discovered on 16 February, and the “vulnerability was immediately rectified upon discovery”. Further, “there is no evidence to suggest that the security vulnerability had been exploited for malicious data extraction prior to it being rectified”. However, it should be noted – albeit for the first statement – that TechCrunch is saying something different. According to Zack Whittaker, Security Editor at TechCrunch, it had contacted the Ministry of Health in Jamaica on Saturday, 13 February, supplied details on the details of the exposed server on Sunday, and nothing happened. However, it was only when TechCrunch was able to identify the contractor, Amber Group, and contacted them directly on 16 February that the server was secured (Source: Twitter).
Without a doubt, and even at the best of times, with the most robust security available, breaches and incidents can occur. However, what makes the situation particularly damaging is the fact that server security was not activated, which is tantamount to leaving one’s front door wide open. No nefarious intrusion tricks needed to be used, and for all intents and purposes, the data on the server could be accessed at will.
Having said this, it may be still early days in this saga. However, considering the sheer magnitude of the situation, below are some early thoughts.
1. How serious is Amber Group about security?
From the information available in the public domain, Amber Group is a software development company that tends to build its own products, and reportedly has operations in 23 countries. However, it could be argued that in being an experienced IT company, that works for governments and manages sensitive information for and on behalf of its clients, the security omission is beyond a ‘rookie mistake’.
Under the circumstances, it does not appear that any security-related checks and balances were in place, which would be monitored on a regular basis. Further, and even with regard to procedures when commissioning an application or platform, they may not be sufficiently comprehensive or robust. In other word, Amber Group may be an IT company that does not fully appreciate the need for, and importance of, security, evidenced by the fact that this glaring omission was active for nine months.
2. How serious is the Government of Jamaica about security?
Although the Amber Group might be the contractor, and so is likely to be the main party answerable for the security failure that occurred, questions may also need to be asked of the Government of Jamaica as it relates to its posture on security, and correspondingly the policies and frameworks it has in place. The Government is the repository of considerable volumes of personal data of individuals, along with confidential and commercially sensitive information on businesses and organisations. Hence three questions that merit consideration include:
- What security and compliance standards does the Government of Jamaica have in place?
- What compliance requirements does it have for contractors and other third party entities that are providing services to the Government, and/or are handling personal and confidential data for or on behalf of Government?
- What are the consequences when breaches or major security omissions occur, which not only brings the Government into disrepute, but could also lead to legal, economic and financial consequences for the country?
In the JIS article cited above, the Government was reported to give assurances that it takes “data privacy and security extremely seriously and remain committed to stringent security protocols in keeping with local and international standards”. However, and under the current circumstances, what does that mean? The response to date by the Government of Jamaica is inadequate.
3. Is the Government ready for the privacy implications?
In 2020, Jamaica successfully enacted its Data Protection Act, which was subject to extensive debate and review prior to its promulgation. At the time of writing, the full provisions of the Act are not yet effective, as a transition period has been established to facilitate public awareness, and for organisations to take the steps needed to ensure full compliance with the legislation. Notwithstanding, the personal data of individuals – tourists and Jamaicans – was not protected.
However, and perhaps a bigger issue potentially, is the implications of such a breach on the international stage, such as with regard to the European Union’s General Data Protection Regulations (GDPR). As noted in our Podcast episode with attorney-at-law, and data protection specialist, Bartlett Morgan, the GDPR has been designed to have extraterritorial reach. Hence, just one national of the European Union (EU), whose personal data was compromised, may have grounds under GDPR to initiate action against the Government of Jamaica.
In turn, Jamaica may need to demonstrate that its data protection systems are sufficiently robust, consistent with EU’s standards, and to provide proof of its actions following notification of the security failure. If it is unsuccessful in its defence, the fines and penalties could be significant.
4. Damage control versus transparency?
Finally, and based on the previously-mentioned article by JIS, this point is particularly worrying. Clearly, the Jamaican Government has egg on its face for the failure that has transpired, and there is likely to be an urgent need to manage the situation. However, in the relatively brief article that was published on 17 February, there seem to be more questions than answers, with regard to:
- The exact date the Government was notified of the breach, as was summarised above.
- That following a thorough investigation, “there is no evidence to suggest that the security vulnerability had been exploited for malicious data extraction prior to it being rectified”. The data on the server was not protected, and could be readily accessed, and copied and used for exploitation over the past nine months, or at some time in the future. Further, if the security failure was only known to the Government on 16 February, then less than 24 hours to conduct a thorough investigation of the server, of the dark web, and of the sites globally that trade in personal data, seems a (huge) stretch. Additionally, and at better resourced organisations than the Government of Jamaica and Amber Group, it tends to be over a period of several weeks and months that the full gravity and impact of such situations come to light.
- The assurances of the Government about how seriously they take data privacy and security ring hollow.
Essentially, although there might be need for damage control – to protect Jamaica’s reputation globally, and to manage potential liability – transparency is critical as part of the process. One needs to be seen as honest and clearly communicate the efforts that have been (or are being) made to manage the situation. Many organisations have tried to minimise the gravity of security breaches that have been made public to their peril.
In summary, and as devastating as this situation is, Jamaica has been given an invaluable opportunity from which to learn, and to ensure that meaningful policies and systems are established, enforced, rigorously monitored, and updated on a regular basis. Security breaches can happen at any time, but it is how they are managed, the remediations that are made, and the lessons learnt that become critical, and will improve Jamaica’s credibility going forward.
Image credits: Pixabay – ComMkt; Gordon Johnson
Is it not the case that the government is exempt from the data protection rules?