Prosecution threat for JAMCOVID breach

The Jamaican Government has hinted that it will punish anyone found guilty of breaching the JAMCOVID web portal with findings from an independent review expected to be turned over to the Holness administration today.

The warning comes after the recent exposure of personal data for tens of thousands of Jamaican and international travellers.

The application, which was developed by the Amber Group last summer, allows users to enter personal data, including medical records, before they are given approval to enter Jamaica. The application is also used to track the movement of those placed in quarantine.

An American online newspaper, TechCrunch, revealed on Wednesday that a cloud storage server with uploaded documents had been left unprotected, leaving thousands of files at risk on the Internet.

However, in a statement issued Thursday evening, the Ministry of National Security said the identified vulnerability has since been rectified.

“When a security vulnerability is identified in respect of a government system, the Government has a duty to investigate and rectify it.

“Under Jamaican law, we also have a duty to ensure that any unauthorised access to data is investigated and prosecuted,” the ministry said in the press statement.

The ministry said the matter has been referred to the Communication Forensics and Cybercrime Unit of the Jamaica Constabulary Force and the Major Organised Crime and Anti-Corruption Agency for further investigation.

The ministry had stated that the security vulnerability associated with the file storage service on the JAMCOVID-19 application was discovered on February 16. However, Zack Whittaker, the security editor at TechCrunch, said he had sent details of the exposed server to a Ministry of Health and Wellness official from February 14.

An official at the health ministry, who requested anonymity, denied having received any questions about the JAMCOVID breach.

“During this time, we continued to investigate the breach, and on Tuesday (Feb 16) spoke to two Americans whose data was exposed on the server,” Whittaker had said.

“They helped to narrow down the source of the breach and the owner of the server – a Jamaican government contractor, Amber Group.”

Whittaker said a short while after speaking to Amber Group Chief Executive Officer Dushyant Savadia, the exposed data were secured.

Efforts to contact Savadia over the last 48 hours have been unsuccessful, while a promised statement from the group’s chief commercial officer, Denise Williams, was not forthcoming up to press time.

Savadia, a humanitarian and entrepreneur, founded the Amber Group in 2015. The company is headquartered in Kingston, with operations in 23 countries, including India, the US, and Canada. It also has operations in Africa.