While governments scrambled To end their populations after the COVID-19 pandemic was declared last March, some countries had plans underway to reopen it. In June, Jamaica became one of the first countries to open its borders.
Tourism accounts for about a fifth of Jamaica’s economy. In 2019 alone, four million travelers visited Jamaica, generating thousands of jobs for its three million residents. But as COVID-19 extended into the summer, Jamaica’s economy was in a free fall and tourism was its only way back – even if it meant at the expense of public health.
The Jamaican government hired Amber Group, a technology company based in Kingston, to build a border entry system allowing residents and travelers to return to the island. The system was called JamCOVID and was implemented as an application and a website to allow visitors to be selected before they arrive. To cross the border, travelers had to send a negative COVID-19 test result to JamCOVID before boarding their flight from high-risk countries, including the United States.
Amber Group CEO Dushyant Savadia boasted that his company developed JamCOVID in “three days” and that he effectively donated the system to the Jamaican government, which in turn paid Amber Group for additional features and customizations. The deployment appeared to be a success, and the Amber Group subsequently signed contracts to extend its border entry system to at least four other Caribbean islands.
But last month, TechCrunch revealed that JamCOVID exposed immigration documents, passport numbers and COVID-19 laboratory test results to nearly half a million travelers – including many Americans – who visited the island last year. Amber Group has defined access to the JamCOVID cloud server as public, allowing anyone to access their data from their browser.
If the exposure of the data was caused by human error or negligence, it was an embarrassing mistake for a technology company – and, by extension, for the Jamaican government – to make.
And that may have been the end of it. Instead, the government’s response has become history.
A trio of security flaws
At the end of the first wave of coronavirus, contact tracking applications were still in their infancy and few governments had plans to track travelers when they reached their borders. It was a struggle for governments to create or acquire technology to understand the spread of the virus.
Jamaica is one of the few countries that uses location data to monitor travelers, prompting human rights groups to raise questions about privacy and data protection.
As part of an investigation into a wide range of these COVID-19 applications and services, TechCrunch found that JamCOVID was storing data on an exposed, password-free server.
This was not the first time that TechCrunch has found security holes or exposed data through our reports. It was also not the first pandemic-related security scare. Israeli spyware maker NSO Group left real location data on an unprotected server that it used to demonstrate its new contact tracking system. Norway was one of the first countries with a contact tracking app, but withdrew it after the country’s privacy authority found that continuous tracking of citizens’ locations was a privacy risk.
Just like in any other story, we got in touch with who we thought was the owner of the server. We alerted the Jamaican Ministry of Health to data exposure over the weekend of February 13. But after we provided specific details of the exposure to Ministry spokesman Stephen Davidson, we had no answer. Two days later, the data was still exposed.
After speaking with two American travelers whose data was leaking from the server, we restricted the owner of the server to Amber Group. We contacted his chief executive, Savadia, on February 16, who acknowledged the email, but did not comment, and the server was secured about an hour later.
We ran our story that afternoon. After we published, the Jamaican government issued a statement alleging that the lapse was “discovered on February 16” and “immediately rectified”, none of which was true.
Contact us
Do you have a tip? Contact us securely using SecureDrop. Find out more here.
Instead, the government responded by launching a criminal investigation to see if there was any “unauthorized” access to the unprotected data that led to our first story, which we perceive to be a veiled threat directed at this publication. The government said it has contacted its law enforcement partners abroad.
When contacted, an FBI spokesman declined to say whether the Jamaican government had contacted the agency.
Things have not improved much for JamCOVID. In the days following the first story, the government hired a cloud consultant, Scale 24 × 7, to assess the security of JamCOVID. The results were not released, but the company said it was confident that “there is no current vulnerability” on JamCOVID. The Amber Group also said the lapse was a “completely isolated occurrence”.
A week passed and TechCrunch alerted Amber Group about two more security breaches. After the attention of the first report, a security researcher who saw the news of the first lapse found exposed private keys and passwords for hidden JamCOVID servers and databases on his website, and a third lapse that leaked quarantine requests to more than half a million of travelers.
Amber Group and the government claimed to have faced “cyber attacks, hackers and malicious players”. In reality, the application was not as secure.
Politically inconvenient
Security breaches occur at a politically inconvenient time for the Jamaican government, which is trying to launch a national identification system, or NIDS, for the second time. The NIDS will store biographical data of Jamaican citizens, including their biometrics, as well as their fingerprints.
The repeated effort comes two years after the government’s first law was declared unconstitutional by the Supreme Court of Jamaica.
Critics cited JamCOVID’s security flaws as a reason to abandon the proposed national database. A coalition of rights and privacy groups cited recent issues with JamCOVID to find out why a national database is “potentially dangerous to Jamaican privacy and security”. A spokesman for the Jamaica opposition party told local media that “there was not much confidence in NIDS in the first place”.
More than a month has passed since we published the first story and there are many unanswered questions, including how Amber Group got the contract to build and run JamCOVID, how the cloud server was exposed and whether security tests were carried out before its launch.
TechCrunch sent an email to the office of the Jamaican Prime Minister and to Matthew Samuda, Minister of the Ministry of National Security of Jamaica, to ask how much, if anything, the government donated or paid to Amber Group to administer JamCOVID and what security requirements, if any, have been agreed upon for JamCOVID above. We did not get an answer.
The Amber Group also did not say how much it gained from its government contracts. Amber Group’s Savadia declined to disclose the value of the contracts to a local newspaper. Savadia did not respond to our emails with questions about her contracts.
After the second security lapse, Jamaica’s opposition party demanded that the prime minister release the contracts that govern the deal between the government and the Amber Group. Prime Minister Andrew Holness said at a news conference that the public “should know” about government contracts, but warned that “legal obstacles” can prevent disclosure, such as for national security reasons or when “commercial and commercial information is confidential “may be disclosed.
This happened days after the local newspaper The Jamaica Gleaner received a request to obtain contracts revealing the salaries of government employees denied by the government under a legal clause that prevents the disclosure of an individual’s private affairs. Critics argue that taxpayers have a right to know how much government officials receive from public funds.
Jamaica’s opposition party also asked what was done to notify the victims.
Government Minister Samuda initially minimized the security lapse, claiming that only 700 people were affected. We scoured social media for evidence, but found nothing. To date, we have found no evidence that the Jamaican government has informed travelers about the security incident – either in the hundreds of thousands of affected travelers whose information has been exposed, or in the 700 people the government has claimed to have notified but not publicly disclosed. .
TechCrunch sent an email to the minister to request a copy of the notification the government allegedly sent to the victims, but we received no response. We also request comments from the Amber Group and the office of the Prime Minister of Jamaica. We had no answer.
Many of the victims of the security lapse are from the United States. Neither of the two Americans we spoke to in our first report was notified of the violation.
Spokespersons for New York and Florida attorney generals, whose residents’ information was exposed, told TechCrunch that they had not heard from the Jamaican government or the contractor, despite state laws requiring disclosure of data breaches.
The reopening of Jamaica’s borders came at a cost. The island saw more than 100 new cases of COVID-19 in the following month, most from the United States. From June to August, the number of new coronavirus cases went from tens to tens to hundreds each day.
To date, Jamaica has recorded more than 39,500 cases and 600 deaths from the pandemic.
Prime Minister Holness reflected on the decision to reopen its borders last month in parliament to announce the country’s annual budget. He said the country’s last economic decline was “driven by a massive 70% contraction in our tourism industry”. More than 525,000 travelers – residents and tourists – have arrived in Jamaica since the borders opened, said Holness, slightly more than the number of traveler records found on the JamCOVID server exposed in February.
Holiness defended the reopening of the country’s borders.
“If we hadn’t done that, the drop in tourism revenues would have been 100% instead of 75%, there would have been no job recovery, our balance of payments deficit would have worsened, general government revenues would have been threatened, and there would have been there is no argument to be made about spending more, ”he said.
Both the Jamaican government and the Amber Group have benefited from opening the country’s borders. The government wanted to revive its declining economy, and the Amber Group enriched its business with new government contracts. But neither of them paid enough attention to cybersecurity, and the victims of their neglect deserve to know why.
Send tips securely through Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. To know more.