Indonesia is investigating a suspected security flaw in a COVID-19 test-and-trace app that left exposed personal information and the health status of 1.3 million people, a health ministry official said on Tuesday. Researchers from encryption provider vpnMentor said personal information in the Indonesia Health Alert Card (eHAC) app, often required to be used by travelers, was accessible “due to the lack of protocols put in place by the app’s developers.” Anas Ma’ruf, a health ministry official overseeing data, said the government was looking into the potential breach but said the potential flaw was in an earlier version of the app, which has not been used since July.
“The eHAC from the old version is different from the eHAC system that is a part of the new app,” he said. “Right now, we’re investigating this suspected breach”. The eHAC system is now part of the Peduli Lindungi (Care Protect) app, which the government has promoted for various tracing purposes, including entry at malls. Anas urged people to delete the old app and said the breach might have originated from a partner, without elaborating. He said the current eHAC system was now managed by the government and its safety was “guaranteed”. VpnMentor researchers said the flaw could expose people to phishing or hacking, as well as discourage people from using a COVID-19 tracing app. Experts say such data breaches point to Indonesia’s weak cyber security infrastructure. In May, authorities also launched an investigation into an alleged breach of social security data from the country’s state insurer.