Cybersecurity researchers say they have discovered a flaw in an Indonesian Covid-19 test-and-trace app that exposed the personal information and health data of up to 1.3 million people.

An official for Indonesia’s health ministry told Reuters that the government was investigating but the flaw looked to be in an earlier version of the Indonesia Health Alert Card (eHAC) app that is no longer in use.

Researchers at vpnMentor said developers of the eHAC app used an unsecured Elasticsearch database, which led to an open server leaving some 2GB of personal data unprotected.

Exposed personally identifiable information included passports data, Indonesian ID number, date of births, full names, among others. Medical data includes Covid-19 test results, test types and hospital ID.

The vpnMentor researchers said they first discovered the unsecured database on 15 July. They contacted the Ministry of Health on 21 July. However, action wasn’t taken to rectify the leak until 24 August, vpnMentor said.

There is no evidence that the data has been accessed by criminals, but such exposures pose high risk to individuals when data ends up in the wrong hands.

“Had the data been discovered by malicious or criminal hackers, and allowed to accumulate data on more people, the effects could have been devastating on an individual and societal level,” vpnMentor said in a blog post.

Joseph Carson, chief security scientist at ThycoticCentrify, told Verdict that the Indonesia Covid-19 app breach could lead to “increased success in phishing scams and reduced confidence in government-led technologies”.

The Indonesia health ministry official said the earlier version of the eHAC app hasn’t been used since July and urged people to delete it.

The new app is managed by the government, the official added.

Unsecured databases are a common cause of data breaches and are usually easily preventable.

“Any database must have strict privileged access controls and apply the principle of least privilege along with strong multifactor authentication to ensure only trusted and authorized access is granted,” Carson said.

The data leak comes as countries around the world rely on smartphone apps to permit entry to public venues such as concert arenas and sports grounds.

Privacy advocates have previously raised concerns about digital Covid passes, while others insist they are the only realistic way to reopen the economy in the short to medium term.

Carson said he doesn’t believe that the Indonesia Covid app breach will reduce “overall” confidence in such apps. 

“However, it is a reminder to other governments to continue evaluating their security and ensure they are up to date,” he added.