The authorities said they had investigated a suspected data breach of the old eHAC system, which had jeopardized the data of around 1.3 million users. The system was primarily used by the Health Ministry to help with COVID-19 contact tracing.

The incident, which is not usual given the country’s weak cybersecurity, was brought to light by encryption provider vpnMentor, which wrote in a report on Monday that the data included contact details, ID card details and COVID-19 test results.

“The Health Ministry is sure that no private data of eHAC users was leaked. The data on eHAC is not shared with the third party’s platform,” Health Ministry Data and Information Center head Anas Ma’ruf said in a press conference on Wednesday.

That being said, the National Cyber and Encryption Agency (BSSN) admitted that there had been a potential exposure of private data as reported by vpnMentor.

“Thank God, we received good information from vpnMentor,” said BSSN spokesperson Anton Setiawan.

Digital tracing system

The e-HAC fiasco came to light shortly after the government announced it would require the public to download the PeduliLindungi app, which is connected to the new eHAC system, on their phones as it prepares for the increasingly inevitable reality in which the country may have to live side by side with COVID-19 for years to come.

“The pandemic is unavoidable, not only for the Indonesian people alone, but also for the global community,” Coordinating Maritime Affairs and Investment Minister Luhut Pandjaitan said on Monday, adding that one way people could deal with the virus was by taking the right precautions such as wearing masks, washing hands and social distancing, conducting mass testing and tracing, and expediting the vaccination rate.

The PeduliLindungi app, which provides the vaccination records, health status and travel history of the account holders, is primarily designed to help boost the government’s testing and tracing capacity and allow people to go about their activities.

“Strict implementation of health protocols based on the PeduliLindungi app is key if we do not want to repeat the difficult moments in early July when cases increased so significantly that our health system was on the borderline, forcing us to impose an emergency lockdown that had a huge economic impact,” he said.

Following the alleged data breach, the government assured the public that the new eHAC system within the PeduliLindungi app was safe, saying that the system’s server infrastructure was located in the national data center secured by the BSSN. 

Not everyone is convinced, however.

‘Leaving your house open’

Drone Emprit cofounder and cyber activist Ismail Fahmi said regardless of whether public data stored in the eHAC system had been stolen, the incident exposed the government’s recklessness in handling its own citizens’ private data

“It’s like leaving a house open while precious goods are still left behind unprotected. It’s reckless and should not happen again,” he told The Jakarta Post

Ismail pointed to the fact that there was a gap between vpnMentor’s first sighting of the database exposure on July 15 and the response from the government, and that there was still no certainty that private data of citizens had not been accessed by parties other than the government or vpnMentor.

He said the PeduliLindungi app should have stronger protection against cyberattacks as it not only stored citizens’ personal information, but also tracked their movements.

“We need transparency about where our data is being stored, who can access it, and whether there is a third party that can publicly verify the app’s safety,” Ismail said. 

There is no indication the PeduliLindungi app is safer than the compromised eHAC app, cybersecurity researcher and consultant Teguh Aprianto said, lamenting another instance of the government’s failure to protect its citizens’ privacy.

“People are forced to use these apps by the government without explanation or guarantee about how safe they are.”

Teguh called on the authorities to prevent possible data leaks by making sure that data-protection infrastructure was in place, as well as ensuring that citizens’ sensitive data were encrypted as stipulated by a 2021 Communications and Information Ministry circular that requires such procedure.

“If such practices are ignored, then data leaks will continue to happen and the leaked data could easily be read by anyone as it was not encrypted in the first place,” he said.

‘Not liable’ for cyberattacks

As government officials scramble to reassure the public about the safety of the PeduliLindungi app, critics have pointed to an article in the app’s terms and conditions that says the government and the app’s developer PT Telkom Indonesia cannot be held liable for illegal access from the app.

“How can we trust them? They are ready to face any [problems] since whatever the problems are they cannot be sued as we have agreed to the terms and conditions,” Ismail said.

Anton, however, defended PeduliLindungi’s terms and conditions, saying that both users and the government had a share of responsibility in protecting users’ data.

“The terms and conditions explain that the government and PT Telkom Indonesia are not liable for the misuse [illegal access] of the PeduliLindung app if it was conducted by the users themselves,” said the BSSN official.

Activists have long called for the House of Representatives and the government to pass the data protection bill, which is badly needed as a legal basis for data protection. The lawmakers have been dragging their feet on passing the bill.

Who keeps our data?

Authorities suspect the breach occurred on a third party’s system, but they have refused to name the party the government worked with.

In its report, vpnMentor, which discovered the leaked database on July 15, blamed the breach on the developers’ failure to implement adequate data privacy protocols.

After confirming the records’ authenticity, vpnMentor contacted the Health Ministry, the Indonesia Computer Emergency Response Team (CERT) and eHAC hosting provider Google on July 21, 22 and 25, respectively, to present the findings, but none of them responded. Subsequently vpnMentor contacted the BSSN on Aug. 22, which responded that same day and took down the server on Aug. 24, according to the report.

“The massive amount of data collected and exposed for each individual using eHAC left them incredibly vulnerable to a wide range of attacks and scams,” said vpnMentor.

Ismail questioned why the government refused to identify the third party allegedly responsible for the potential data breach, saying that the government must name the company developing the PeduliLindungi app. He said it remained unclear if the third party was able to access and copy citizens’ data on the app.

“This is no longer the case of a hacker stealing our data. We give our private data to the government, which in turn gives it to a third party without consent” Ismail said. (ahw)