A security lapse by a Jamaican government contractor has exposed immigration records and Covid-19 test results for hundreds of thousands of travelers who visited the island over the past year.
The Jamaican government contracted Amber Group to build the JamCOVID19 website and app, which the government uses to publish daily coronavirus figures and allows residents to self-report their symptoms.
The contractor also built the website to pre-approve travel applications to visit the island during the pandemic, a process that requires travelers to upload a negative COVID-19 test result before they board their flight if they come from high-risk countries, including the United States.
But a cloud storage server storing those uploaded documents was left unprotected and without a password, and was publicly spilling out files onto the open web.
Many of the victims whose information was found on the exposed server are Americans.
The data is now secure after TechCrunch contacted Amber Group’s chief executive Dushyant Savadia, who did not comment when reached prior to publication.
The storage server, hosted on Amazon Web Services, was set to public. It’s not known for how long the data was unprotected, but contained more than 70,000 negative COVID-19 lab results, over 425,000 immigration documents authorizing travel to the island — which included the traveler’s name, date of birth and passport numbers — and over 250,000 quarantine orders dating back to June 2020, when Jamaica reopened its borders to visitors after the pandemic’s first wave. The server also contained more than 440,000 images of travelers’ signatures.
Two U.S. travelers whose lab results were among the exposed data told TechCrunch that they uploaded their COVID-19 results through the Visit Jamaica website before their travel. Once lab results are processed, travelers receive a travel authorization that they must present before boarding their flight.
Both of these documents, as well as quarantine orders that require visitors to shelter in place and several passports, were on the exposed storage server.
Travelers who are staying outside Jamaica’s so-called “resilient corridor,” a zone that covers a large portion of the island’s population, are told to install the app built by Amber Group that tracks their location and is tracked by the Ministry of Health to ensure visitors stay within the corridor.
The app also requires that travelers record short “check-in” videos with a daily code sent by the government, along with their name and any symptoms.
The server exposed more than 1.1 million of those daily updating check-in videos.
The server also contained dozens of daily timestamped spreadsheets named “PICA,” likely for the Jamaican passport, immigration and citizenship agency, but these were restricted by access permissions. But the permissions on the storage server were set so that anyone had full control of the files inside, such as allowing them to be downloaded or deleted altogether. (TechCrunch did neither, as doing so would be unlawful.)
Stephen Davidson, a spokesperson for the Jamaican Ministry of Health, did not comment when reached, or say if the government planned to inform travelers of the security lapse.
Savadia founded Amber Group in 2015 and soon launched its vehicle-tracking system, Amber Connect.
According to one report, Amber’s Savadia said the company developed JamCOVID19 “within three days” and made it available to the Jamaican government in large part for free. The contractor is billing other countries, including Grenada and the British Virgin Islands, for similar implementations, and is said to be looking for other government customers outside the Caribbean.
Savadia would not say what measures his company put in place to protect the data of paying governments.
Jamaica has recorded at least 19,300 coronavirus cases on the island to date, and more than 370 deaths.
- Moody’s downgrades Ghana to further junk status, warns investors could lose in debt restructuring
- Organised Labour rejects 18% salary increment
- “We’ve been tracking Mohammed Kudus for more than one year” – Barcelona Director
- Qatar 2022: “Kudus is currently the World Cup best player” – Prince Boateng
- Ronaldo receives $225m offer to play for Saudi Arabian club
- Minority welcomes government’s decision to reintroduce road toll in 2023
- Some OMCs start reducing fuel prices, GOIL down by 3.5%
- Ato Forson calls out ministers and MPs for abandoning 2023 budget to watch football in Qatar
- 2023 Budget: TUC rejects government’s salary projection of ₵44.9m
- ‘Insulting’ Ashanti Regional NSS Boss to appear before Committee of Inquiry
- NHIA opens new office at Mion
- Second Lady calls for comprehensive development of children
- Include persons with mental health conditions in immunization programmes – MindFreedom Ghana to GHS
- Ofori-Atta has more integrity than 99% of politicians – Prof. Stephen Adei
- Directors of ‘The Woman King’ auditioned me for a role – Prince David Osei
- Government’s management of economy commendable – Prof Adei
- Supreme Court dismisses suit against GRA’s pay 30% before challenging Act
- If your music penetrates China, then you have done enough as an artiste – Kuami Eugene
- Playback: PM Express discuss Moody’s further downgrade of Ghana to junk status
- Chamber of Telecommunications outlines services to be affected by SIM deactivation
- Ernest Kojo Manu: Bumpy roads, illegal speed ramps posing serious threat to safety of road users
- Single spine is the most indecent salary structure – TUC
- Organised Labour revises demand for base pay increase to 65%
- Danny List urges black golfers to be more vocal to motivate young talents
- Crackdown on black market operators was to control cedi depreciation – Interior Minister