[BreachExchange] Jamaica’s immigration website exposed thousands of travelers’ data

[Destry Winant]

https://techcrunch.com/2021/02/17/jamaica-immigration-travelers-data-exposed/

A security lapse by a Jamaican government contractor has exposed
immigration records and COVID-19 test results for hundreds of
thousands of travelers who visited the island over the past year.

The Jamaican government contracted Amber Group to build the JamCOVID19
website and app, which the government uses to publish daily
coronavirus figures and allows residents to self-report their
symptoms. The contractor also built the website to pre-approve travel
applications to visit the island during the pandemic, a process that
requires travelers to upload a negative COVID-19 test result before
they board their flight if they come from high-risk countries,
including the United States.

But a cloud storage server storing those uploaded documents was left
unprotected and without a password, and was publicly spilling out
files onto the open web.

Many of the victims whose information was found on the exposed server
are Americans.

TechCrunch discovered the exposure as part of a separate investigation
into COVID-19 apps. After TechCrunch contacted Amber Group’s chief
executive Dushyant Savadia, who did not comment when reached prior to
publication, the data was secured.

The storage server, hosted on Amazon Web Services, was set to public.
It’s not known for how long the data was unprotected, but contained
more than 70,000 negative COVID-19 lab results, over 425,000
immigration documents authorizing travel to the island — which
included the traveler’s name, date of birth and passport numbers — and
over 250,000 quarantine orders dating back to June 2020, when Jamaica
reopened its borders to visitors after the pandemic’s first wave. The
server also contained more than 440,000 images of travelers’
signatures.

Two U.S. travelers whose lab results were among the exposed data told
TechCrunch that they uploaded their COVID-19 results through the Visit
Jamaica website before their travel. Once lab results are processed,
travelers receive a travel authorization that they must present before
boarding their flight.

Both of these documents, as well as quarantine orders that require
visitors to shelter in place and several passports, were on the
exposed storage server.

Travelers who are staying outside Jamaica’s so-called “resilient
corridor,” a zone that covers a large portion of the island’s
population, are told to install the app built by Amber Group that
tracks their location and is tracked by the Ministry of Health to
ensure visitors stay within the corridor. The app also requires that
travelers record short “check-in” videos with a daily code sent by the
government, along with their name and any symptoms.

The server exposed more than 1.1 million of those daily updating
check-in videos.

An airport information flyer given to travelers arriving in Jamaica.
Travelers may be required to install the JamCOVID19 app to allow the
government to monitor their location and to require video check-ins.
(Image: Jamaican government)

The server also contained dozens of daily timestamped spreadsheets
named “PICA,” likely for the Jamaican passport, immigration and
citizenship agency, but these were restricted by access permissions.
But the permissions on the storage server were set so that anyone had
full control of the files inside, such as allowing them to be
downloaded or deleted altogether. (TechCrunch did neither, as doing so
would be unlawful.)

Stephen Davidson, a spokesperson for the Jamaican Ministry of Health,
did not comment when reached, or say if the government planned to
inform travelers of the security lapse.

In a brief statement after we published, the Jamaican government
issued a statement confirming the vulnerability.

“A thorough investigation was immediately initiated to determine if
there were any breaches in travelers’ data security, if the
vulnerability had been exploited, and if there was a breach of any
laws. At present, there is no evidence to suggest that the security
vulnerability had been exploited for malicious data extraction prior
to it being rectified,” the statement read.

Savadia founded Amber Group in 2015 and soon launched its
vehicle-tracking system, Amber Connect.

According to one report, Amber’s Savadia said the company developed
JamCOVID19 “within three days” and made it available to the Jamaican
government in large part for free. The contractor is billing other
countries, including Grenada and the British Virgin Islands, for
similar implementations, and is said to be looking for other
government customers outside the Caribbean.

Savadia would not say what measures his company put in place to
protect the data of paying governments.

Jamaica has recorded at least 19,300 coronavirus cases on the island
to date, and more than 370 deaths.

Updated with a statement from the Jamaican government.