Jamcovid Scandal: How Jamaica Failed to Protect Data

Jamaica's Early Reopening and the JamCOVID Data Breach

Following the declaration of the COVID-19 pandemic in March, while many governments implemented lockdowns, certain nations began formulating strategies for reopening. Jamaica was among the first to act, opening its borders by June.

Tourism is a vital component of Jamaica’s economy, contributing roughly one-fifth of its total economic output. In 2019, the island welcomed four million tourists, providing employment for a significant portion of its three million inhabitants.

However, as the pandemic persisted into the summer months, Jamaica’s economy experienced a sharp decline. Reviving tourism was seen as the primary path to recovery, even if it presented potential risks to public health.

The Development of JamCOVID

The Jamaican government partnered with Amber Group, a technology firm based in Kingston, to create a border management system. This system, named JamCOVID, was designed to facilitate the safe return of residents and allow travelers to enter the island.

JamCOVID was implemented as both a mobile application and a website, enabling pre-travel screening for visitors. Travelers arriving from high-risk areas, including the United States, were required to submit a negative COVID-19 test result through the JamCOVID platform prior to their flight.

Dushyant Savadia, CEO of Amber Group, stated that the JamCOVID system was developed within “three days” and initially offered to the Jamaican government as a donation. The government subsequently contracted Amber Group for supplementary features and customizations.

The initial implementation of JamCOVID appeared successful, leading to Amber Group securing contracts to deploy its border entry system on at least four additional Caribbean islands.

The Data Exposure

Last month, TechCrunch reported a significant security vulnerability within JamCOVID. The platform exposed sensitive immigration data, including passport numbers and COVID-19 lab test results, belonging to approximately half a million travelers – many of whom were American citizens – over the past year.

The issue stemmed from Amber Group configuring the JamCOVID cloud server with public access, allowing anyone with a web browser to access the stored data.

Regardless of whether the data exposure was the result of an oversight or negligence, it represented a serious error for both the technology company and the Jamaican government.

The Government's Response

The situation could have concluded with the correction of the security flaw. However, the subsequent response from the government became the focal point of the issue.

The handling of the breach and the ensuing communication have drawn scrutiny, shifting the narrative beyond the initial data exposure itself.

Multiple Security Breaches Revealed

Following the initial surge of the coronavirus pandemic, contact-tracing applications were still in early stages of development, and comprehensive traveler screening protocols were largely absent across many nations. Governments faced a significant challenge in rapidly developing or procuring the necessary technology to effectively monitor the virus’s propagation.

Jamaica stood out as one of the few countries utilizing location data for traveler monitoring, which subsequently prompted concerns from civil rights organizations regarding privacy and data security.

During an investigation encompassing a wide array of COVID-19 applications and related services, TechCrunch discovered that JamCOVID was storing data on a server that lacked password protection and was publicly accessible.

This incident marked not the first instance of security vulnerabilities or data exposure identified through TechCrunch’s reporting, nor the initial pandemic-related security concern. The Israeli spyware firm, NSO Group, previously left genuine location data exposed on an unsecured server used to demonstrate its novel contact-tracing system. Norway, an early adopter of a contact-tracing app, ultimately withdrew it after its data protection authority determined that the continuous tracking of citizens’ locations posed a substantial privacy risk.

Consistent with standard procedure, we attempted to notify the server’s owner. Jamaica’s Ministry of Health was alerted to the data exposure on the weekend of February 13. Despite providing detailed information about the vulnerability to ministry spokesperson Stephen Davidson, no response was received. The data remained exposed for two further days.

Following conversations with two American travelers whose data was being exposed, we identified Amber Group as the server’s owner. Contacting its chief executive, Savadia, on February 16 resulted in an acknowledgment of the email but no substantive comment. The server was subsequently secured approximately one hour later.

Our report was published that afternoon. Subsequently, the Jamaican government released a statement asserting that the security lapse had been “discovered on February 16” and “immediately rectified,” both claims proving inaccurate.

Instead of acknowledging the issue, the government initiated a criminal investigation into potential “unauthorized” access to the exposed data that had prompted our initial report. This action was interpreted as a veiled threat directed towards our publication. The government also stated it had contacted international law enforcement partners.

When contacted, a representative from the FBI declined to confirm whether the Jamaican government had reached out to the agency.

The situation did not improve for JamCOVID. In the days following the first report, the government engaged Escala 24×7, a cloud consulting firm, to evaluate JamCOVID’s security posture. The findings of this assessment were not made public, but the company expressed confidence that “no current vulnerability” existed within JamCOVID. Amber Group similarly maintained that the lapse was a “completely isolated occurrence.”

Within a week, TechCrunch alerted Amber Group to two additional security breaches. A security researcher, prompted by news of the initial report, discovered exposed private keys and passwords for JamCOVID’s servers and databases hidden on its website, alongside a third vulnerability that resulted in the exposure of quarantine orders for over half a million travelers.

Amber Group and the government attributed the issues to “cyberattacks, hacking and mischievous players.” However, the underlying reality was that the application simply lacked adequate security measures.

A Timely Setback for Jamaica’s National ID System

Recent security vulnerabilities have emerged at a particularly inopportune moment for the Jamaican government, coinciding with its renewed efforts to implement a national identification system (NIDS). This proposed NIDS aims to compile biographic data, including biometric information like fingerprints, for all Jamaican citizens.

This second attempt follows a previous iteration of the law being overturned by Jamaica’s High Court two years prior, deemed unconstitutional.

The security issues surrounding the JamCOVID platform are being highlighted by critics as justification for abandoning the planned national database. A collective of privacy advocates and civil rights organizations has pointed to these recent incidents as evidence of the “potentially dangerous” implications for the privacy and security of Jamaican citizens.

Over a month has passed since initial reporting, yet significant questions remain unanswered. These include the circumstances surrounding Amber Group’s contract award for the development and operation of JamCOVID, the cause of the cloud server exposure, and whether comprehensive security assessments were performed prior to launch.

Inquiries sent to both the Jamaican prime minister’s office and Minister Matthew Samuda regarding government funding or payments to Amber Group for JamCOVID, as well as any stipulated security requirements, have gone unanswered.

Amber Group has also refrained from disclosing the financial gains derived from its government contracts. A representative from Amber Group, Savadia, declined to reveal contract values to a local news outlet and did not respond to our direct inquiries.

In the wake of the second security breach, the opposition party has called for the release of the contracts governing the relationship between the government and Amber Group. Prime Minister Andrew Holness acknowledged the public’s “right to know” about government agreements, but cautioned that “legal hurdles,” such as national security concerns or the protection of “sensitive trade and commercial information,” might impede full disclosure.

This statement followed a recent denial by the government, under a legal provision protecting personal privacy, of a request from The Jamaica Gleaner newspaper for access to contracts detailing the salaries of public officials. Critics contend that the public is entitled to transparency regarding the compensation of individuals funded by taxpayer money.

The opposition party has also requested clarification on measures taken to inform affected individuals.

Initial statements from Government minister Samuda minimized the scope of the security lapse, suggesting only 700 people were impacted. However, our investigation has found no corroborating evidence. To this date, there is no indication that the Jamaican government notified the hundreds of thousands of travelers whose data was compromised, nor the 700 individuals the government claimed to have contacted without public disclosure.

Requests to Minister Samuda for a copy of the alleged notification sent to victims have been ignored. Similar requests directed to Amber Group and the prime minister’s office have also received no response.

A significant number of those affected by the data breach are citizens of the United States. Neither of the American individuals featured in our initial report received notification of the incident.

Representatives from the Attorneys General offices in New York and Florida have confirmed to TechCrunch that they have not been contacted by either the Jamaican government or Amber Group, despite legal mandates requiring notification of data breaches.

The decision to reopen Jamaica’s borders came with consequences. The island experienced over one hundred new COVID-19 cases in the following month, with the majority originating from the United States. Between June and August, the daily number of new coronavirus cases increased from tens to hundreds.

As of this report, Jamaica has recorded over 39,500 COVID-19 cases and 600 related deaths.

Prime Minister Holness addressed the border reopening decision during a parliamentary session discussing the national budget. He stated that the country’s economic downturn last year was “driven by a massive 70% contraction in our tourist industry.” Holness reported that over 525,000 travelers – residents and tourists alike – had entered Jamaica since the borders reopened, a figure comparable to the number of traveler records found on the exposed JamCOVID server in February.

Holness defended the decision to reopen the borders, stating that failing to do so would have resulted in a 100% loss of tourism revenue instead of 75%, hindering employment recovery, worsening the balance of payments, and jeopardizing government revenues.

Both the Jamaican government and Amber Group stood to gain from the reopening of borders. The government aimed to revitalize its struggling economy, while Amber Group anticipated increased business through new government contracts. However, insufficient attention was given to cybersecurity, and those harmed by this oversight deserve a clear explanation.

For secure communication, reach out via Signal and WhatsApp at +1 646-755-8849. Files and documents can be submitted through our SecureDrop. Learn more.