Data Breach Affects Hundreds of Thousands of Travelers to Jamaica

The JamCOVID application and associated website, utilized by Jamaica to manage traveler information, were temporarily taken offline following a recent security incident. This marks the third such occurrence, resulting in the exposure of sensitive quarantine orders for over 500,000 individuals visiting the island.

JamCOVID’s Role in Traveler Management

Launched last year, JamCOVID was designed to streamline the processing of arriving travelers for the Jamaican government. The system issues quarantine orders, mandated by the Jamaican Ministry of Health, requiring travelers to self-isolate for a period of two weeks to mitigate the spread of COVID-19.

These official orders contain personally identifiable information, including the traveler’s full name and the address where they are required to complete their quarantine.

Unprotected Data Exposure

A security researcher revealed to TechCrunch that these quarantine orders were publicly accessible via the JamCOVID website without any password protection. The researcher, wishing to remain anonymous due to potential legal ramifications from the Jamaican government, brought this vulnerability to light.

The exposed data encompassed over 500,000 quarantine orders, with records extending back to March 2020.

Reporting and System Shutdown

TechCrunch shared its findings with the Jamaica Gleaner, who independently verified the data breach with local cybersecurity professionals before publishing the report.

Shortly after being contacted by both TechCrunch and the Jamaica Gleaner, Amber Group, the company responsible for developing and maintaining the JamCOVID platform, temporarily suspended the service. The website was replaced with a maintenance notice. As of the latest update, the site has been restored.

Lack of Response from Key Personnel

Requests for comment from Dushyant Savadia, chief executive of Amber Group, went unanswered. Similarly, Matthew Samuda, a minister within Jamaica’s Ministry of National Security, did not respond to inquiries regarding the incident or the potential future of the government’s contract with Amber Group.

Recurring Security Issues

This incident represents the third security lapse involving JamCOVID within the last two weeks.

Previously, Amber Group addressed an exposed cloud storage server on Amazon Web Services that contained over 70,000 negative COVID-19 test results and more than 425,000 immigration documents. Following that, a second vulnerability was rectified after private keys and passwords for the service were discovered on the JamCOVID server. Savadia had previously asserted that no further vulnerabilities existed.

Government Defense of Amber Group

The Jamaican government has consistently defended Amber Group, noting that the JamCOVID technology was provided to them without charge. Savadia has stated that the service was developed within a remarkably short timeframe of “three days.”

Government Response and Future Plans

In a public statement released on Thursday, Jamaican Prime Minister Andrew Holness emphasized that JamCOVID “continues to be a critical element” of the nation’s immigration procedures. He also indicated that the government is expediting the migration of the JamCOVID database, though specific details regarding this process were not disclosed.

A correction was made to an earlier version of this report regarding the spelling of the Jamaica Gleaner newspaper. We apologize for this error.