Indonesia Launches Investigation for Possible Breach on Its COVID-19 Tracing App

• Researchers found an exposed instance containing the data of the Indonesian COVID-19 tracing app.
• The number of exposed individuals reached 1.3 million, but the access by hackers hasn’t been confirmed.
• The data set included very sensitive details on users, staff, and even hospitals and clinics in the country.

The state of Indonesia has launched an urgent investigation to figure out whether or not the database of the official COVID-19 tracing app has been compromised by malicious actors. The app is called ‘Indonesia Health Alert Card’ (eHAC) and it is mandatory for travelers in the country, so a data breach in it would potentially affect a large number of people who were basically obliged to use it by the Ministry of Health in the country.

This action comes after researchers N. Rotem and R. Locar of the vpnMentor team discovered the exposed database and reported the issue to Indonesia’s authorities. The discovery took place on July 15, 2021, but after multiple contact attempts, the researchers were unable to receive an assuring response from anyone responsible. Eventually, and after reaching out to various governmental agencies hoping someone would respond, the database was taken down on August 24, 2021.

This left plenty of time for actors to discover the exposed and unprotected Elasticsearch instance and exfiltrate the data, but whether or not someone has actually done that remains to be seen. The types of data included in the 2GB set are the following:

• Passenger ID and type (including domestic and international travelers)
• Hospital ID
• Queue number while doing this test
• Reference number
• Address and time for a home visit
• Test type (PCR, rapid antigen, etc.), date, and place
• Test result and date issued
• eHAC document ID
• Passenger name and URN ID number
• URN hospital ID number
• Passenger details (ID number, full name, mobile phone number, DOB, citizenship job, gender, etc.)
• Passenger’s national Indonesian ID number (where applicable)
• Passport and profile photo attached to eHAC account
• PII data for passenger’s parent(s) or next of kin
• Passenger’s hotel details (name, address, phone number)
• Additional passenger photo ID (possibly a placeholder for future use)
• Details about a person’s eHAC account and when it was created

There were approximately 1.3 million eHAC user records in the database, so the number of people who are now running the risk of getting scammed, phished, or social engineered is pretty significant. Additionally, the database stored the following details about 226 hospitals and clinics in the country:

• Hospital details (ID, name, country, license number, address and exact location (with coordinates), phone and WhatsApp number, opening hours)
• Name of the responsible person for the passenger
• Name of the passenger’s doctor
• Hospital capacity
• Allowed test types in the hospital
• Information about how many tests were done each day
• Which type of passengers are allowed in this hospital

The health ministry representative who announced the investigation, Anas Ma’ruf, told users to delete the old app and install the new version that is supposed to be more secure. As the spokesperson further speculated, its data leak may come from a partner, but no further details were provided around that.