1.3 million data compromised on eHAC data leak, Ministry of Health urges the public to uninstall the outdated app
The Ministry of Health (Kemenkes) today (31 August) responded to an alleged data leak on eHAC (electronic Health Alert Card) mobile app. The app recorded more than 1.4 million data of 1.3 million users, which are concisely the presumed number of data leaked. In response to this, the ministry urges the public to uninstall the app from their mobile devices.
The eHAC app is originally an app made by the ministry earlier this year for travelling and COVID-19 testing purposes. The app was developed by the Directorate of Health Surveillance and Quarantine as well as Directorate General of Disease Prevention and Control in the Ministry of Health.
Indonesian and foreigners are required to use this app to travel the archipelago. The app was later merged with PeduliLindungi app.
Ministry of Health Head of Data and Information Centre Annas Maaruf on a press conference today said that the data leak on eHAC app has nothing to do with the eHAC in PeduliLindungi app as they are two separate entities.
"(The) data leak occurred in the old eHAC application that is no longer in use since...2 July 2021," Annas stated. Even though the function of eHAC has been merged with PeduliLindungi since July, he claimed that the one in PeduliLindungi has a different system from its predecessor. The ministry immediately deactivated the old eHAC app to mitigate the crisis.
The data leak itself was brought to attention by cyber researchers from vpnMentor, Noam Rotem and Ran Locar. They revealed that the application does not have adequate protection and it exposes the database of its users. They then reached out to the ministry to present their findings, but nobody responded.
On 22 August, the researchers then reported this issue to the Computer Emergency Response Team and Google as eHAC hosting provider, as well as other government bodies such as National Cyber and Crypto Agency. They received an immidiate response their responses on the same day and the app on 24 August was finally deactivated.
The leaked data include Resident Identification Number (NIK), passport number, data from COVID-19 test results, address, telephone number, hospital patient number, full name, date of birth, occupation and photo.
Aside from those, they also found the data from 266 hospitals and clinics across Indonesia along with the name of the people responsible for testing each traveler, the doctor who ran the test, information on how many tests were performed each day and the type of travels made by users. Data of public officials are among the leaked data as well.