After reports of COVID-19 patients’ data being sold, now allegedly there are data leaks of the data from eHAC and even the President’s own vaccine certificate. To be frank, how far our data security goes?
(Translation for points inside the graph)
This is not the first the government has failed to protect their own citizens personal data. In May 2020, the government was distraught with the cases of leakage of Covid-19 patients’ data that were being sold on the internet. This time data from the eHAC, an application specialized for testing and tracing for Covid-19 is reportedly to be leaked. Repeated data leaks have signaled that the government is yet to ensure security of each citizen’s identity and their own digitalized personal data seriously. Although the digitalization process has been done and dusted, there are still incidents that have showed the digital infrastructures are not fully prepared yet.
About 230.000 database of Covid-19 patients in Indonesian are reportedly known to be traded on internet forums such as Raid Forum in May 2020. A portion of those data are personal data and data referred to the patients’ condition.
Instead of providing transparency in social aid management, several local governments provided open access for personal private information of its citizen who received social aid for those who were affected by Covid-19 instead. Such data are varied from full name, citizenship registry number (NIK), address, phone number and so on; these data were supposed to be protected and secured. The accessibility of these personal information is surely susceptible to ill-intents and abuse.
This is not the first flaw in the government’s electronic system. Ministry of Home Affairs (KEMENDAGRI) acknowledged that four serves belonged to the Office of Population and Registry in Megelang District, Subang District, Kota Bogor, and Bekasi District were hacked. In the aftermath, data belonged to the citizens who live in those areas to be leaked. This gives a sign that the government’s infrastructure for digital security is feeble and prone to hackers.
A year after Covid-19 patients’ data were leaked, we were shocked by the alleged data leak of 279 million Indonesian citizens. In which the data that were leaked included full name, identity card (KTP), phone numbers, emails, identity registration number (NID), home address from Social Health Insurance Administration Body (BPJS). Our data were sold in the same forum for worth up to hundreds of millions of rupiah.
Security Research Team from vpnMentor exposed the fragility the data of those who use the eHAC application. This data leak did not only affect its users, but it also exposed the whole infrastructures surrounding the eHAC application itself. In which, it included private notes from hospitals and Indonesian government officials who also used that application. Before this the citizens were highly encouraged to use the government-owned application although there’s barely any explanations or guarantee for its security at all.
Unfortunately, these data leakages may keep on reoccurring as long as the data management are not carefully managed, and data security aspect is overlooked. The government can not be absent when it comes to the security of their citizens’ personal data. Leaking personal data to the public comes with the consequences of triggering criminal activities that may become threats towards people’s safety and security. This also includes discriminations towards people with diseases that are considered taboo by the masses.
Therefore, LaporCovid-19 urges the government to: