TheJakartaPost
Please Update your browser
Your browser is out of date, and may not be compatible with our website. A list of the most popular web browsers can be found below.
Just click on the icons to get to the download page.
Authorities probe suspected eHAC data breach of 1 million users
Authorities begin a probe into a recent data breach jeopardizing over 1 million user accounts of the Indonesia Health Alert Card (eHAC) application.
Change text size
Gift Premium Articles
to Anyone
Share the best of The Jakarta Post with friends, family, or colleagues. As a subscriber, you can gift 3 to 5 articles each month that anyone can read—no subscription needed!
A user examines the PeduliLindungi application at Pasar Raya Salatiga, Central Java, on Sept. 4 2020. (Antara/Aloysius Jarot Nugroho)
T
he Health Ministry, National Police and Communications and Information Ministry said on Tuesday that they were looking into a suspected data breach of the government’s Indonesia Health Alert Card (eHAC) system, which has jeopardized around 1.3 million users’ data.
The potential breach of eHAC – an app developed to help with COVID-19 contact tracing – was brought to light by encryption provider vpnMentor, which wrote in a report on Monday that the data included contact details, ID card details and COVID-19 test results.
Health Ministry data and information center head Anas Ma’ruf said on Tuesday that the potentially flawed eHAC system had been inoperative since July 2, and gave an assurance that it was separate from the eHAC system integrated with the widely used COVID-19 tracking app PeduliLindungi.
“The government asks everyone to uninstall and delete the old and separate eHAC app,” he said.
Authorities suspect the breach occurred on a third party’s system, but could only verify this after conducting a “digital forensic audit”, he added in a statement, without further elaboration.
He went on to say that the safety of the operational eHAC system was “guaranteed”. The system’s server infrastructure was located in the national data center secured by the communications ministry and the National Cyber and Encryption Agency (BSSN).
Communications ministry spokesman Dedy Permadi confirmed the probe to The Jakarta Post, while National Police spokesman Sr. Comr. Argo Yuwono confirmed it to other local media outlets.
In the report, vpnMentor, which discovered the leaked database on July 15, blamed the breach on the developers’ failure to implement adequate data-privacy protocols.
After confirming the records’ authenticity, the provider contacted the Health Ministry, Indonesia Computer Emergency Response Team (CERT) and eHAC hosting provider Google on July 21, July 22 and July 25, respectively, to present the findings, but none of them responded.
Subsequently vpnMentor contacted the BSSN on Aug. 22, which responded that same day and took down the server on Aug. 24, reads the report.
“The massive amount of data collected and exposed for each individual using eHAC left them incredibly vulnerable to a wide range of attacks and scams,” wrote the provider.
