As governments surrounded There were plans to reopen in some countries, to close their population after the COVID-19 pandemic was declared last March. By June, Jamaica became one of the first countries to open its borders.
Tourism represents about one-fifth of Jamaica’s economy. In 2019 alone, four million travelers visited Jamaica, providing thousands of jobs to its three million residents. But as COVID-19 spread over the summer, Jamaica’s economy was in free form, and the only mode of tourism was back – even if it was at the cost of public health.
The Jamaican government contracted with Amber Group, a technology company headquartered in Kingston, to build a border entry system to bring residents and travelers back to the island. The system was named JamCOVID and was designed as an app and a website to allow visitors to come on screen before they arrived. To cross the border, passengers had to upload a negative COVID-19 test result for JamCOVID before boarding their flight from high-risk countries, including the United States.
Amber Group CEO Dushyant Savadia claimed that his company has developed JamCOVID in “three days” and has effectively donated the system to the Jamaican government, which pays the Amber Group for additional features and customization . The rollout appeared to be a success, and the Amber Group subsequently secured a contract to roll out its border entry system to at least four other Caribbean islands.
But last month ClearTips revealed that JamCOVID has covered nearly half a million passengers in immigration documents, passport numbers and the result of the COVID-19 lab test – including many Americans – who visited the island in the past year Was. The Amber Group had made access to the JamCOVID cloud server public, allowing anyone to access their data from their web browser.
Whether the data exposure was caused by human error or negligence, it was a shameful mistake for a technology company – and, by extension, the Jamaican government – to make.
And that could be the end of it. Instead, the government’s reaction became the story.
By the end of the first wave of coronaviruses, contact tracing applications were still in their infancy and some governments planned to come across their borders as a way to screen passengers. Creating or acquiring technology to understand the spread of the virus was a scramble for governments.
Jamaica was one of the few countries to use location data to monitor travelers, prompting rights groups to raise concerns about privacy and data security.
As part of an investigation into a wide range of these COVID-19 apps and services, ClearTips discovered that JamCOVID was storing data on an exposed, passwordless server.
This was not the first time ClearTips found security flaws or exposed data through our reporting. It was also not the first epidemic-related security scare. Israeli spyware maker NSO Group dumped real-location data on an insecure server it had used to display its new contact tracing system. Norway was one of the first countries to have a contact tracing app, but pulled it after being a privacy risk after the country’s privacy authority constantly tracked citizens’ location.
The way we have any other story, we contacted what we felt was the owner of the server. We alerted the Jamaican Ministry of Health to the data exposure over the weekend of February 13. But we did not hear back when we provided specific details of the contact with Ministry spokesman Stephen Davidson. Two days later, the data was still exposed.
When we talked to two American travelers whose data was spilling from the server, we restricted the server’s owner to the Amber group. We contacted its chief executive Saadia on 16 February, who accepted the email but made no comment and the server was secured after about an hour.
We ran our story that afternoon. After we were published, the Jamaican government issued a statement claiming that it was “discovered on 16 February” and “immediately rectified”, neither of which was true.
Got a tip? Contact us safely using SecureDrop. Get more knowledge Here.
Instead, the government responded by launching a criminal investigation into whether there was any “unauthorized” access to unsafe data, which led to our first story, which we considered a threat of a thin veil directed at this publication. The government said it had contacted its foreign law enforcement partners.
When reached, an FBI spokesman declined to say whether the Jamaican government had contacted the agency.
Things were not much better for JamCOVID. In the days following the first story, the government engaged Escala 24 × 7, a cloud consultant, to assess the security of JamCOVID. The results were not disclosed, but the company said it believed JamCOVID had “no current vulnerability”. The Amber group also said that the lapse was a “completely different incident.”
A week passed and ClearTips alerted the Amber Group to two more security flaws. After deflecting from the first report, a security researcher, who saw the news of the first lapse, revealed hidden private keys and passwords to JamCOVID’s servers and databases on his website, and a third lapse that left more than half a million passengers Ordered quarantine for .
The Amber Group and the government claimed that it encountered “cyberbats, hacking and mischievous players”. In fact, the app was not just so secure.
The security lapse comes at a politically inconvenient time for the Jamaican government, as it attempts to launch the National Identity System or NIDS for a second time. NIDS will store biographical data on the citizens of Jamaica, including their biometrics, such as their fingerprints.
The effort to repeat the government comes two years after the Jamaican High Court struck down the government’s first law as unconstitutional.
Critics have cited JamCOVID security lapses as one reason for leaving the proposed national database. A coalition of privacy and rights groups cited recent issues with JamCOVID as to why a national database is “potentially dangerous to the privacy and security of Jamaica.” A spokesman for the Jamaican opposition party told local media that “there was not much confidence in the NIDS in the first place.”
It has been more than a month since the first story was published and there are many unanswered questions, including how Amber Group secured the contract to build and run JamCOVID, how the cloud server became, and if security testing before its launch it was done.
ClearTips emailed both Jamaica’s Prime Minister’s Office and Matthew Samuda, a minister in Jamaica’s Ministry of National Security, to ask how much the government gave, or donated, and paid to run JamCovid, to run JamCOVID and Security requirements, if any, were agreed. For JamCOVID. We did not get any response.
Amber Group has also not said how much it has earned from its government contracts. Savadia of Amber Group declined to disclose the value of the contract to a local newspaper. Savadia did not respond to our emails to questions asked about her contracts.
Following a second security lapse, the Jamaican opposition party demanded that the Prime Minister release the contracts governing the agreement between the government and the Amber Group. Prime Minister Andrew Holness said at a press conference that the public should be “aware of government contracts”, but warned that “legal hurdles” could prevent national security reasons or the disclosure of “sensitive trade and commercial information” Huh.
The local newspaper, The Jamaica Gleaner, had requested the contract to be obtained by disclosing salary officials denied by the government under a legal clause that forbids the disclosure of a person’s personal affairs. Critics argue that taxpayers have the right to know how much government officials are paid out of public money.
The Jamaican opposition party also asked what was done to inform the victims.
Government minister Samuda initially downplayed the security lapses, claiming that only 700 people were affected. We signed on social media for evidence but nothing was found. To date, we have found no evidence that the Jamaican government had ever informed passengers about the security incident – either the hundreds of thousands of affected passengers whose information was exposed, or the 700 people the government claimed they had Notified it but not released publicly.
ClearTips emailed the minister requesting a copy of the notice that the government had allegedly sent to the victims, but we received no response. We also asked the Amber Group and Jamaica’s Prime Minister’s Office for comment. We did not hear back.
Many of the victims of security lapses are from the United States. In our first report, none of the two Americans we spoke to had reported the violation.
A spokesman for the New York and Florida Attorney General, whose residents’ information was exposed, told ClearTips that they had not heard from the Jamaican government or contractor, despite state laws requiring data breaches to be disclosed.
The reopening of Jamaica’s borders came at a cost. The island saw more than a hundred new cases of COVID-19 that month, followed by a majority from the United States. From June to August, the number of new coronovirus cases increased from tens to dozens every day.
To date, Jamaica has had more than 39,500 cases and an epidemic of 600 deaths.
Prime Minister His Holiness reflected on the decision to reopen its borders in Parliament last month to announce the country’s annual budget. He said that the country’s economic decline was last “driven by a massive 70% contraction in our tourism industry.” Hoshiar said, while slightly more than the number of passenger records found on the JamCOVID server exposed in February, both residents and tourists – both tourists and tourists – have arrived in Jamaica.
Piety defended the reopening of the country’s borders.
“If we hadn’t done that, tourism revenue would have fallen by 100% instead of 75%, there would have been no improvement in employment, our balance of payments deficit would have deteriorated, overall government revenue would have been in jeopardy, and there would be more spending.” There should be no argument about.
Both the Jamaican government and the Amber Group benefited from opening the country’s borders. The government wanted to revive its declining economy, and the Amber Group enriched its business with new government contracts. But neither paid enough attention to cyber security, and victims of their negligence know why.
Send suggestions safely to +1 646-755-8849 on Signal and WhatsApp. You can also send files or documents using our SecureDrop. learn more.