(CMR) Jamaica's immigration website exposed hundreds of thousands of travelers' data in a security lapse which the government said has since been fixed.
The security lapse by government contractor Amber Group exposed immigration records and COVID-19 results for hundreds of thousands who visited the island, TechCrunch reported.
A cloud storage server storing documents uploaded from the JamCOVID19 website, which preapproves travel applications for persons traveling to the island from countries such as the US, was left unprotected and files were publicly available on the web without the need for passwords, the report said.
Over 425,000 travel authorization documents which included names, passport numbers, and date of birth, were exposed. Also, more than 70,000 negative COVID-19 lab results and over 250,000 quarantine orders were exposed. However, TechCrunch could not say for how long the data was exposed.
The server also exposed more than 1.1 million daily updating check-in videos from persons required to check-in with the Health Ministry under COVID-19 security protocols.
TechCrunch said it discovered the security breach as part of a separate investigation into COVID-19 apps and that many of the victims exposed were Americans.
The server also had information from the country's Passport, Immigration, and Citizenship Agency (PICA), but those were restricted.
TechCrunch said the issue was fixed as soon as it informed the contractor Amber Group of the security lapse.
The Jamaican government issued a statement following notice of the breach.
“A security vulnerability associated with the file storage service on the JAMCOVID-19 application was discovered on February 16, 2021. The vulnerability was immediately rectified upon discovery,” the Government said in a statement published on the Jamaica Information Service website.
According to the statement, a thorough investigation was immediately initiated to determine if there were any breaches in travelers’ data security, if the vulnerability had been exploited and if there was a breach of any laws.
There was reportedly no evidence to suggest that the security vulnerability had been exploited for malicious data extraction before it was rectified.
“Nevertheless, out of an abundance of caution, we have contacted travelers whose data may have been subject to the vulnerability and have assured them that steps have been taken to ensure the integrity and the confidentiality of the data,” the statement continued.
“The Government of Jamaica wishes to assure all travelers that we take data privacy and security extremely seriously and remain committed to stringent security protocols in keeping with local and international standards. We will continue to carry out robust security testing and update our security protocols as necessary to mitigate against the risk of unauthorized access to data.”