The government of Jamaica is responding to a case of security vulnerability on an immigration app that may have exposed the personal data of hundreds of thousands of travelers.
Since the government reopened the island’s borders in June 2020, all travelers have been required to use the JAMCOVID-19 app or website to access the travel authorization needed to enter Jamaica. This means uploading private information like their full name, date of birth, passport information, and other data.
JAMCOVID-19 also provides the latest COVID-19 statistics, allows citizens to self-report their health status, upload a daily “check-in” video while in quarantine, book an appointment for testing, as well as request emergency services such as the police or ambulance services.
But according to TechCrunch, a cloud storage server storing those uploaded documents was recently left unprotected and without a password, and was publicly spilling out files onto the open web. The website said that the server exposed more than 1.1 million of those daily updating check-in videos.
TechCrunch also reported that the app and website’s storage server, which was set to public, contained over 425,000 immigration documents and more than 440,000 images of travelers’ signatures.
In responding to the report, the Ministry of National Security says the issue was discovered yesterday and immediately rectified. The Ministry confirmed that the vulnerability was associated with the file storage service.
“A thorough investigation was immediately initiated to determine if there were any breaches in travelers’ data security, if the vulnerability had been exploited, and if there was a breach of any laws,” the ministry said.
“At present, there is no evidence to suggest that the security vulnerability had been exploited for malicious data extraction prior to it being rectified,” it added.
However, the ministry said it has contacted travelers whose data may have been subject to vulnerability and has assured them that steps have been taken to ensure the integrity and confidentiality of the data.
“The Government of Jamaica wishes to assure all travelers that we take data privacy and security extremely seriously and remain committed to stringent security protocols in keeping with local and international standards,” the statement said.
The ministry said it will continue to carry out “robust security testing” and update its security protocols as necessary to mitigate the risk of unauthorized access to data.
The Ministry did not state for how long the data was unprotected or how many travelers have been affected. But over one million people visited Jamaica in the first 10 months of 2020, most of whom came from the United States.
The Amber Group, which was contracted by the government to create the app and the accompanying website, has not yet responded to the reports of a security lapse.