The highly-sensitive government database was taken offline one month after breach disclosure — damaging users’ trust in the system.

Recently, the research team at vpnMentor discovered a data breach in the Indonesia Health Alert Card (eHac) application, which is a ‘test and trace’ app used to combat the spread of the COVID-19 pandemic in Indonesia.

The data compromised includes the user’s health status, contact details, personally identifiable information, COVID-19 test results, and other facts.

According to an official at the Indonesian health ministry, the potential leak of data was due to an earlier version of the app that may have originated from a partner instead.

Currently, the nation is still investigating this suspected security flaw. 

Hasty deployment, loss of trust

The pandemic has caused governments across the world to rushed out apps for track-and-trace, vaccine passports, quarantine vigilance and other functions.

However, the rushed development may lead to secondary concerns about security in the forefront of developers’ minds.

According to Ian Hall, Head of Client Services (APAC), Synopsys Software Integrity Group, from the design phase through to post go-live monitoring, security is an aspect that should be foremost in mind.

“In this case, it appears that a database with an array of data including personally identifiable information was left exposed. The good news is that it was identified by an ethical hacker and reported to the developer. At this time, we don’t know if any malicious attacker had identified the database as well and accessed the data,” said Hall.

Touching on the DevSecOps movement, Hall said that being able to develop and deploy quickly is one of its key goals. “However, it is important to also have the necessary monitoring in place to detect security issues and then triage, fix, test and re-deploy. From the description that vpnmentor provided, it appears that this area could have been improved. Further improvements could also have been made in the turnaround time for taking the database offline since the initial disclosure was also made to the developer about a month ago.”

With this incident presumably lowering the confidence of Indonesians in such sensitive vigilance software, Hall hoped that the authorities will perform a complete review of the incident and offer full disclosure to the public about the lapses.