Cybersecurity researchers say they have discovered a flaw in an Indonesian Covid-19 test-and-trace app that exposed the personal information and health data of up to 1.3 million people.

An official for Indonesia’s health ministry told Reuters that the government was investigating but the flaw looked to be in an earlier version of the Indonesia Health Alert Card (eHAC) app that is no longer in use.

Go deeper with GlobalData

Premium Insights

The gold standard of business intelligence.

Find out more

Researchers at vpnMentor said developers of the eHAC app used an unsecured Elasticsearch database, which led to an open server leaving some 2GB of personal data unprotected.

Exposed personally identifiable information included passports data, Indonesian ID number, date of births, full names, among others. Medical data includes Covid-19 test results, test types and hospital ID.

The vpnMentor researchers said they first discovered the unsecured database on 15 July. They contacted the Ministry of Health on 21 July. However, action wasn’t taken to rectify the leak until 24 August, vpnMentor said.

There is no evidence that the data has been accessed by criminals, but such exposures pose high risk to individuals when data ends up in the wrong hands.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“Had the data been discovered by malicious or criminal hackers, and allowed to accumulate data on more people, the effects could have been devastating on an individual and societal level,” vpnMentor said in a blog post.

Joseph Carson, chief security scientist at ThycoticCentrify, told Verdict that the Indonesia Covid-19 app breach could lead to “increased success in phishing scams and reduced confidence in government-led technologies”.

The Indonesia health ministry official said the earlier version of the eHAC app hasn’t been used since July and urged people to delete it.

The new app is managed by the government, the official added.

Unsecured databases are a common cause of data breaches and are usually easily preventable.

“Any database must have strict privileged access controls and apply the principle of least privilege along with strong multifactor authentication to ensure only trusted and authorized access is granted,” Carson said.

The data leak comes as countries around the world rely on smartphone apps to permit entry to public venues such as concert arenas and sports grounds.

Privacy advocates have previously raised concerns about digital Covid passes, while others insist they are the only realistic way to reopen the economy in the short to medium term.

Carson said he doesn’t believe that the Indonesia Covid app breach will reduce “overall” confidence in such apps. 

“However, it is a reminder to other governments to continue evaluating their security and ensure they are up to date,” he added.