Jamaica Immigration Website Data Breach | Traveler Data Exposed

Data Breach Exposes Travel Records for Hundreds of Thousands

A significant security vulnerability involving a Jamaican government contractor has resulted in the exposure of sensitive data. This includes immigration records and COVID-19 test results belonging to potentially hundreds of thousands of travelers who visited Jamaica in the last year.

JamCOVID19 Website and App – The Source of the Breach

The Jamaican government engaged Amber Group to develop the JamCOVID19 website and application. This platform serves as a central resource for daily coronavirus statistics and allows residents to report symptoms.

Furthermore, Amber Group created the system for pre-approving travel applications to Jamaica during the pandemic. Travelers from high-risk locations, such as the United States, were required to submit a negative COVID-19 test result prior to their flight.

Unprotected Cloud Storage Server

The data collected through these processes was stored on a cloud storage server. Critically, this server was left without password protection and publicly accessible on the internet, leading to the data exposure.

A substantial number of those affected by this breach are citizens of the United States.

Discovery and Remediation

TechCrunch uncovered the vulnerability during a separate investigation into COVID-19 applications. Following contact with Dushyant Savadia, Amber Group’s chief executive, the exposed data was secured.

Prior to being contacted by TechCrunch, Mr. Savadia had not offered any comment regarding the situation.

Details of the Exposed Data

The server, hosted on Amazon Web Services, was configured for public access. It contained a wealth of personal information, including:

• Over 70,000 negative COVID-19 lab results
• More than 425,000 immigration documents – containing names, dates of birth, and passport numbers
• Over 250,000 quarantine orders dating back to June 2020
• More than 440,000 images of travelers’ signatures

The duration of the data’s vulnerability remains unknown.

Traveler Accounts

Two U.S. travelers confirmed to TechCrunch that they had uploaded their COVID-19 test results through the Visit Jamaica website before traveling. Successful processing of these results granted them a travel authorization required for boarding their flights.

Both travel authorizations, alongside quarantine orders and passport copies, were present on the exposed server.

The “Resilient Corridor” and Location Tracking

Travelers staying outside of Jamaica’s designated “resilient corridor” were instructed to install an Amber Group-developed app. This app tracks their location and reports to the Ministry of Health to ensure compliance with corridor restrictions.

The app also necessitates daily “check-in” videos, including a government-provided code, along with the traveler’s name and any reported symptoms.

Over 1.1 million of these daily check-in videos were exposed on the server.

Server Permissions and Potential Risks

While some files, labeled “PICA” and likely related to the Jamaican passport, immigration and citizenship agency, were access-restricted, the overall server permissions granted full control to anyone. This included the ability to download the entire server content or delete files.

TechCrunch refrained from performing these actions, recognizing their unlawful nature.

Government Response

Stephen Davidson, a spokesperson for the Jamaican Ministry of Health, declined to provide a comment or indicate whether travelers would be notified of the security lapse.

Following publication of the initial report, the Jamaican government released a statement acknowledging the vulnerability.

The statement confirmed the initiation of a thorough investigation to determine if traveler data had been compromised, if the vulnerability was exploited, and if any laws were violated. Currently, there is no evidence of malicious data extraction prior to the issue being resolved.

About Amber Group

Amber Group was founded by Dushyant Savadia in 2015, initially focusing on vehicle-tracking systems with Amber Connect.

According to reports, Savadia stated that JamCOVID19 was developed “within three days” and offered to the Jamaican government largely without cost. The company is currently charging other nations, including Grenada and the British Virgin Islands, for similar implementations and is actively seeking additional government clients in the Caribbean region.

Savadia did not elaborate on the data protection measures implemented for paying governments.

COVID-19 Statistics in Jamaica

As of the latest data, Jamaica has recorded over 19,300 coronavirus cases and more than 370 deaths.

Updated with a statement from the Jamaican government.

Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.