The Indonesia eHAC (Electronic Health Alert Certificate) is a requirement to travel from a country on a government-selected list. As part of Indonesia’s Public Health Emergencies program, passengers have to complete the eHAC in order to detect, prevent, and control Public Health Emergencies at Points of Entry (Airports, Seaports, and GCBPs).
Indonesia authorities, however, have reported that it is examining the COVID-19 test-and-trace application due to potential security vulnerabilities, which may have exposed the personal information and health status of 1.3 million people.
The leak from the COVID app is currently being investigated by Indonesia’s Ministry of Communications and Informatics.
It was announced on August 30th by the security review site vpnMentor, whose research team found exposed datasets generated by the popular app required by travelers entering and leaving Indonesia.
Personal information in the Indonesia Health Alert Card (eHAC) app, which is frequently required to be used by travelers, was accessible “due to the lack of protocols put in place by the app’s developers,” according to researchers.
A data protection official at the Ministry of Health said that the government is investigating the potential breach, but that the weakness is in an older version of the software.
“The eHAC from the old version is different from the eHAC system that is a part of the new app. Right now, we’re investigating this suspected breach,” stated Anas Ma’ruf, the health ministry official.
According to vpnMentor researchers, the vulnerability might expose users to phishing attacks or hacking.
The researchers were able to “manipulate the URL search criteria into exposing schemata from a single index at any time” using only a browser when accessing the eHAC data, which in summary is “completely unsecured and unencrypted.”
In their findings, the researchers found personally-identifying information, travel details, medical records, and COVID-19 information.
Also, there were some records containing national identification numbers. Likewise, government users had their personally identifiable information exposed while other findings listed healthcare personnel in 226 hospitals who collaborated with eHAC users.
vpnMentor says individuals who had their personally identifiable information leaked may be subject to numerous issues. However, there is no indication yet available that the disclosed data has been misused.
This is the second data breach involving health data in Indonesia since May 2021, the first being the national health insurance plan breach.