AMBER ALERT - JAMCOVID under more scrutiny as second data breach flagged

There is more scrutiny on the Office of the Prime Minister (OPM) over whether officials there had flagged problems with the JAMCOVID application months ago and well before last week’s shocking discovery that thousands of travellers’ person data was left exposed online.

Executives of Amber were huddled in talks late Monday night as the data breach crisis widened.

On whether its assistance was sought to address any concerns about the application, eGov, the government company responsible for ICT across the public sector, has directed questions to Andrew Holness’ office.

“You could, perhaps, speak with the Office of the Prime Minister to get a specific response,” Anika Shuttleworth, the entity’s acting chief executive officer, told The Gleaner on Monday.

The OPM had no response up to press time.

The focus on the OPM comes as another report emerges of a second security failure for the $57-million application whose core parts were built in three days and given to the Government for free last April.

Amber Group, the embattled developer, had told The Gleaner that it was “confident” that the first issue in which 425,000 immigration records for locals and foreigners such as passport numbers and electronic signatures were reportedly left without password protection on a government server hosted on Amazon Web Services was an “isolated occurrence”.

However, Matthew Samuda, minister without portfolio in the Ministry of National Security, said “just under 700” people were affected.

But in further troubling details on Monday, TechCrunch, the online US newspaper that broke the story, reported that Amber fixed a “security lapse” that exposed private keys and passwords for JAMCOVID, which the Government uses to process travellers to the island since the pandemic.

Preliminary investigation

That development calls into question the preliminary investigation which Amber claimed it did and which it said matched the findings of a “leading” international cybersecurity provider that “there are no vulnerabilities that could lead to any exposure or breach”.

That provider, Amber said, was used by the Holness administration, which has not commented publicly on this aspect of the criminal investigation under way.

Additional questions to the Amber Group and its founder and chief executive officer, Dushyant Savadia, were not answered up to press time Monday evening.

Multiple sources have told The Gleaner that concerns were raised about the application and eGov was asked.

“I’m not able to respond to that specific comment at the moment. Typically, communications would have to be had with our parent ministry or, in this case, the Office of the Prime Minister,” the CEO of eGov said.

The parent ministry of eGov is the Ministry of Science, Energy and Technology (MSET), whose Permanent Secretary Carol Palmer directed queries back to the company.

“There was no request to eGov through MSET. So you will need to speak with eGov directly … . They do not need the permission of MSET to assist so they can speak for themselves,” Palmer told The Gleaner.

Opposition Leader Mark Golding declared on Monday that the credibility of the JAMCOVID portal was “now totally shot”, arguing that Jamaica demanded accountability.

Meanwhile, pulling the JAMCOVID website in light of the problems could be catastrophic for Jamaica’s travel management flow, argued Professor Sean Thorpe, head of the School of Computing and Information Technology at the University of Technology, Jamaica.

“It would affect business and interrupt transit to and fro out of the airport. What really needs to come front and centre is a declaration from the Amber Group as to the state of play at this time,” he said.

The Major Organised Crime and Anti-Corruption Agency, the Cyber Incident Response Team of eGov, and the police cybercrimes unit are pursuing a probe of what the Government calls an “alleged breach”.

jovan.johnson@gleanerjm.com