As governments scrambled to lock down their populations after the COVID-19 pandemic was declared final March, some nations had plans underway to reopen. By June, Jamaica turned one of many first nations to open its borders.
Tourism represents about one-fifth of Jamaica’s economy. In 2019 alone, 4 million vacationers visited Jamaica, bringing hundreds of jobs to its three million residents. But as COVID-19 stretched into the summer season, Jamaica’s economic system was in free fall, and tourism was its solely means again — even when that meant at the expense of public health.
The Jamaican authorities contracted with Amber Group, a know-how firm headquartered in Kingston, to construct a border entry system permitting residents and vacationers again onto the island. The system was named JamCOVID and was rolled out as an app and a web site to enable guests to get screened earlier than they arrive. To cross the border, vacationers had to add a destructive COVID-19 check outcome to JamCOVID earlier than boarding their flight from high-risk nations, together with the United States.
Amber Group’s CEO Dushyant Savadia boasted that his firm developed JamCOVID in “three days” and that it successfully donated the system to the Jamaican authorities, which in flip pays Amber Group for added options and customizations. The rollout appeared to be successful, and Amber Group later secured contracts to roll out its border entry system to at the very least 4 different Caribbean islands.
But final month TechCrunch revealed that JamCOVID uncovered immigration paperwork, passport numbers, and COVID-19 lab check outcomes on shut to half one million vacationers — together with many Americans — who visited the island over the previous yr. Amber Group had set the entry to the JamCOVID cloud server to public, permitting anybody to entry its information from their internet browser.
Whether the information publicity was brought on by human error or negligence, it was an embarrassing mistake for a know-how firm — and, by extension, the Jamaican authorities — to make.
And that may have been the top of it. Instead, the federal government’s response turned the story.
A trio of safety lapses
By the top of the primary wave of coronavirus, contact tracing apps have been nonetheless in their infancy and few governments had plans in place to display screen vacationers as they arrived at their borders. It was a scramble for governments to construct or purchase know-how to perceive the unfold of the virus.
As a part of an investigation right into a broad vary of those COVID-19 apps and companies, TechCrunch discovered that JamCOVID was storing information on an uncovered, passwordless server.
This wasn’t the primary time TechCrunch discovered security flaws or exposed data by way of our reporting. It additionally was not the primary pandemic-related safety scare. Israeli spy ware maker NSO Group left real location data on an unprotected server that it used for demonstrating its new contact tracing system. Norway was one of many first nations with a contact tracing app, however pulled it after the nation’s privateness authority discovered the continual monitoring of residents’ location was a privateness danger.
Just as we’ve with every other story, we contacted who we thought was the server’s proprietor. We alerted Jamaica’s Ministry of Health to the information publicity on the weekend of February 13. But after we provided specific details of the publicity to ministry spokesperson Stephen Davidson, we didn’t hear again. Two days later, the information was nonetheless uncovered.
After we spoke to two American vacationers whose information was spilling from the server, we narrowed down the proprietor of the server to Amber Group. We contacted its chief govt Savadia on February 16, who acknowledged the e-mail however didn’t remark, and the server was secured about an hour later.
We ran our story that afternoon. After we printed, the Jamaican authorities issued a statement claiming the lapse was “discovered on February 16” and was “immediately rectified,” neither of which have been true.
Got a tip? Contact us securely utilizing SecureDrop. Find out extra here.
Instead, the federal government responded by launching a criminal investigation into whether or not there was any “unauthorized” entry to the unprotected information that led to our first story, which we perceived to be a thinly veiled risk directed at this publication. The authorities mentioned it had contacted its abroad regulation enforcement companions.
When reached, a spokesperson for the FBI declined to say whether or not the Jamaican authorities had contacted the company.
Things didn’t get significantly better for JamCOVID. In the times that adopted the primary story, the federal government engaged a cloud advisor, Escala 24×7, to assess JamCOVID’s safety. The outcomes weren’t disclosed, however the firm mentioned it was confident there was “no current vulnerability” in JamCOVID. Amber Group additionally mentioned that the lapse was a “completely isolated occurrence.”
Per week glided by and TechCrunch alerted Amber Group to two extra safety lapses. After the eye from the primary report, a safety researcher who noticed the information of the primary lapse discovered exposed private keys and passwords for JamCOVID’s servers and databases hidden on its web site, and a third lapse that spilled quarantine orders for greater than half one million vacationers.
Amber Group and the federal government claimed it faced “cyberattacks, hacking and mischievous players.” In actuality, the app was simply not that safe.
The safety lapses come at a politically inconvenient time for the Jamaican authorities, because it makes an attempt to launch a nationwide identification system, or NIDS, for the second time. NIDS will retailer biographic information on Jamaican nationals, together with their biometrics, reminiscent of their fingerprints.
The repeat effort comes two years after the federal government’s first regulation was struck down by Jamaica’s High Court as unconstitutional.
Critics have cited the JamCOVID safety lapses as a motive to drop the proposed nationwide database. A coalition of privateness and rights teams cited the recent issues with JamCOVID for why a nationwide database is “potentially dangerous for Jamaicans’ privacy and security.” A spokesperson for Jamaica’s opposition get together told local media that there “wasn’t much confidence in NIDS in the first place.”
It’s been greater than a month since we printed the first story and there are lots of unanswered questions, together with how Amber Group secured the contract to construct and run JamCOVID, how the cloud server turned uncovered, and if safety testing was carried out earlier than its launch.
TechCrunch emailed each the Jamaican prime minister’s workplace and Matthew Samuda, a minister in Jamaica’s Ministry of National Security, to ask how a lot, if something, the federal government donated or paid to Amber Group to run JamCOVID and what safety necessities, if any, have been agreed upon for JamCOVID. We didn’t get a response.
Amber Group additionally has not mentioned how a lot it has earned from its authorities contracts. Amber Group’s Savadia declined to disclose the worth of the contracts to one native newspaper. Savadia didn’t reply to our emails with questions on its contracts.
Following the second safety lapse, Jamaica’s opposition get together demanded that the prime minister launch the contracts that govern the settlement between the federal government and Amber Group. Prime Minister Andrew Holness mentioned at a press convention that the general public “should know” about authorities contracts however warned “legal hurdles” might stop disclosure, reminiscent of for nationwide safety causes or when “sensitive trade and commercial information” is perhaps disclosed.
That got here days after native newspaper The Jamaica Gleaner had a request to obtain contracts revealing the salaries state officers denied by the federal government underneath a authorized clause that forestalls the disclosure of a person’s personal affairs. Critics argue that taxpayers have a proper to know the way a lot authorities officers are paid from public funds.
Jamaica’s opposition get together additionally requested what was completed to notify victims.
Government minister Samuda initially downplayed the safety lapse, claiming just 700 people have been affected. We scoured social media for proof however discovered nothing. To date, we’ve discovered no proof that the Jamaican authorities ever knowledgeable vacationers of the safety incident — both the lots of of hundreds of affected vacationers whose information was exposed, or the 700 those that the federal government claimed it notified however has not publicly launched.
TechCrunch emailed the minister to request a duplicate of the discover that the federal government allegedly despatched to victims, however we didn’t obtain a response. We additionally requested Amber Group and Jamaica’s prime minister’s workplace for remark. We didn’t hear again.
Many of the victims of the safety lapse are from the United States. Neither of the 2 Americans we spoke to in our first report have been notified of the breach.
Spokespeople for the attorneys normal of New York and Florida, whose residents’ information was exposed, advised TechCrunch that that they had not heard from both the Jamaican authorities or the contractor, regardless of state legal guidelines requiring information breaches to be disclosed.
The reopening of Jamaica’s borders got here at a price. The island noticed over a hundred new cases of COVID-19 within the month that adopted, the bulk arriving from the United States. From June to August, the variety of new coronavirus circumstances went from tens to dozens to lots of every day.
To date, Jamaica has reported over 39,500 circumstances and 600 deaths brought on by the pandemic.
Prime Minister Holness mirrored on the choice to reopen its borders final month in parliament to announce the country’s annual budget. He mentioned the nation’s financial decline final was “driven by a massive 70% contraction in our tourist industry.” More than 525,000 vacationers — each residents and vacationers — have arrived in Jamaica because the borders opened, Holness mentioned, a determine barely greater than the variety of vacationers’ data discovered on the uncovered JamCOVID server in February.
Holness defended reopening the nation’s borders.
“Had we not done this the fall out in tourism revenues would have been 100% instead of 75%, there would be no recovery in employment, our balance of payment deficit would have worsened, overall government revenues would have been threatened, and there would be no argument to be made about spending more,” he mentioned.
Both the Jamaican authorities and Amber Group benefited from opening the nation’s borders. The authorities wished to revive its falling economic system, and Amber Group enriched its enterprise with recent authorities contracts. But neither paid sufficient consideration to cybersecurity, and victims of their negligence deserve to know why.
Send suggestions securely over Signal and WhatsApp to +1 646-755-8849. You may ship recordsdata or paperwork utilizing our SecureDrop. Learn more.