As governments encrypted To lock in the population after the COVID-19 pandemic was declared in March last year, some countries had plans to reopen. In June, Jamaica became one of the first countries to open its borders.
Tourism represents about one-fifth of Jamaica’s economy. In 2019 alone, four million travelers visited Jamaica, bringing thousands of jobs to its three million inhabitants. But when COVID-19 stretched out in the summer, Jamaica’s economy was in free fall, and tourism was the only way back – even if it meant at the expense of public health.
The Jamaican government has contracted with Amber Group, a technology company headquartered in Kingston, to build a border entry system that will allow residents and travelers to return to the island. The system was called JamCOVID and was rolled out as an app and website to allow visitors to be screened before they arrive. To cross the border, travelers had to upload a negative COVID-1
Amber Group CEO Dushyant Savadia boasted that his company developed JamCOVID in “three days” and that it effectively donated the system to the Jamaican government, which in turn pays Amber Group for additional features and customizations. The rollout seemed to be a success, and Amber Group later secured contracts to roll out the border entry system to at least four other Caribbean islands.
But last month, TechCrunch revealed that JamCOVID exposed immigration documents, passport numbers and COVID-19 lab test results to nearly half a million travelers – including many Americans – who visited the island in the past year. Amber Group had made the access to the JamCOVID cloud server public, so that everyone could access the data from their browser.
Whether the data exposure was caused by human error or negligence, it was an embarrassing mistake for a technology company – and by extension also the Jamaican government – to make.
And that may have been the end of it. Instead, the government’s response became history.
A trio of security lapses
Towards the end of the first wave of coronavirus, contact tracking apps were still in their infancy, and few governments had plans to shield travelers when they arrived at the borders. It was a struggle for governments to build or acquire technology to understand the spread of the virus.
Jamaica was one of a handful of countries that used location data to monitor travelers, and made rights groups worry about privacy and data protection.
As part of a study of a wide range of these COVID-19 apps and services, TechCrunch found that JamCOVID stored data on an exposed, password-free server.
This was not the first time TechCrunch found security flaws or exposed data through our reporting. Nor was it the first pandemic-related security scare. The Israeli spyware manufacturer NSO Group left real location data on an unprotected server that it used to demonstrate its new contact tracking system. Norway was one of the first countries with a contact tracking app, but withdrew it after the country’s privacy authority found continuous tracking of citizens’ location as a privacy risk.
Just as we have done with other stories, we contacted who we thought was the server’s owner. We notified the Jamaican Ministry of Health of the data exposure on the weekend of 13 February. But after giving specific details about the exposure to the ministry’s spokesman Stephen Davidson, we did not hear back. Two days later, the data was still revealed.
After talking to two US travelers whose data was played from the server, we restricted the owner of the server to the Amber Group. We contacted CEO Savadia on February 16, who acknowledged the email but did not comment, and the server was secured about an hour later.
We ran our story that afternoon. After we published, the Jamaican government issued a statement claiming that the disappearance was “discovered on February 16” and was “immediately corrected,” and none of them were true.
Do you have a tip? Contact us securely using SecureDrop. Find out more here.
Instead, the government responded by launching a criminal investigation into whether there was any “unauthorized” access to the unprotected data that led to our first story, which we perceived as a thinly veiled threat to this publication. The government said it had contacted its foreign law enforcement partners.
When it was reached, an FBI spokesman declined to say whether the Jamaican government had contacted the agency.
Things did not get much better for JamCOVID. In the days that followed the first story, the government hired a cloud consultant, Escala 24 × 7, to assess JamCOVID’s safety. The results were not disclosed, but the company said it was confident there was “no current vulnerability” in JamCOVID. Amber Group also said the dropout was a “completely isolated occurrence.”
A week went by and TechCrunch notified Amber Group of two more security discrepancies. Following the attention of the first report, a security researcher who saw the news of the first due date found exposed private keys and passwords for JamCOVID’s servers and databases hidden on the site, and a third due date as meager quarantine orders for more than half a million travelers. .
Amber Group and the government claimed to be facing “cyber attacks, hacking and malicious players.” In reality, the app was just not that secure.
The loss of security comes at a politically impractical time for the Jamaican government, as it seeks to launch a national identification system, or NIDS, for the second time. NIDS will store biographical data about Jamaican citizens, including their biometrics, such as fingerprints.
The recurrence comes two years after the government’s first law was overturned by Jamaica’s High Court as unconstitutional.
Critics have cited JamCOVID security discrepancies as a reason to drop the proposed national database. A coalition of privacy and rights groups cited the latest issues with JamCOVID as to why a national database is “potentially dangerous to Jamaicans’ privacy and security.” A spokesman for the Jamaican opposition party told local media that “initially there was not much confidence in NIDS.”
It has been more than a month since we published the first story, and there are many unanswered questions, including how Amber Group secured the contract to build and run JamCOVID, how the cloud server was exposed, and whether security testing was performed before launch.
TechCrunch emailed both the Jamaican Prime Minister’s Office and Matthew Samuda, a minister in Jamaica’s Department of Homeland Security, to ask how much, if anything, the government donated or paid to Amber Group to lead JamCOVID and what security requirements, if any, were agreed upon for JamCOVID. We did not receive an answer.
Amber Group has also not said how much it has earned with its public contracts. Amber Groups Savadia refused to disclose the value of the contracts to a local newspaper. Savadia did not respond to our emails with questions about the contracts.
After the second security course, Jamaica’s opposition party demanded that the prime minister release the contracts governing the agreement between the government and the Amber Group. Prime Minister Andrew Holness told a news conference that the public “should know” about public contracts, but warned that “legal barriers” could prevent disclosure, such as for national security reasons, or when “sensitive trade and commercial information” could be disclosed.
It came days after the local newspaper The Jamaica Gleaner had a request for contracts revealing the salaries of government officials denied by the government under a legal clause that prevents the disclosure of the individual’s private affairs. Critics argue that taxpayers have a right to know how much public servants are paid by public funds.
The Jamaican opposition party also asked what was being done to warn the victims.
Prime Minister Samuda initially downplayed the security deadline, claiming that only 700 people were affected. We searched social media for evidence but found nothing. To date, we have found no evidence that the Jamaican government has ever informed travelers about the security incident – neither the hundreds of thousands of affected travelers whose information was disclosed, nor the 700 people the government claimed it notified but did not make public.
TechCrunch sent the minister an e-mail requesting a copy of the notice that the government allegedly sent to the victims, but we did not receive a response. We also asked the Amber Group and Jamaica’s Prime Minister’s Office for comment. We did not hear back.
Many of the victims of the security deadline are from the United States. Neither of the two Americans we spoke to in our first report were notified of the breach.
Spokesmen for the attorneys general in New York and Florida, whose citizens’ information was disclosed, told TechCrunch that they had not heard from either the Jamaican government or the contractor, despite state laws requiring data breaches to be revealed.
The opening of Jamaica’s borders cost. The island saw over a hundred new cases of COVID-19 in the month that followed, and the majority came from the United States. From June to August, the number of new cases of coronavirus went from tens to dozens to hundreds every day.
To date, Jamaica has reported over 39,500 cases and 600 deaths caused by the pandemic.
Prime Minister Holness reflected on the decision to reopen borders last month in parliament to announce the country’s annual budget. He said the country’s recent economic downturn was “driven by a massive 70% contraction in our tourism industry.” More than 525,000 travelers – both residents and tourists – have arrived in Jamaica since the borders opened, Holness said, a number slightly more than the number of travelers found on the exposed JamCOVID server in February.
Holness defended the reopening of the country’s borders.
“Had we not done this, the fall in tourist revenues would have been 100% instead of 75%, there would have been no improvement in employment, our balance of payments would have deteriorated, total public revenues would have been threatened, and there would have been no argument for spending more, ”he said.
Both the Jamaican government and the Amber Group benefited from opening the country’s borders. The government wanted to revive the declining economy, and Amber Group enriched the business with new public contracts. But none of them came with enough cyber security, and victims of their negligence deserve to know why.
Send tips securely over Signal and WhatsApp to + 1646-755-8849. You can also send files or documents using SecureDrop. Learn more.