Left in the dark
• JPS admits to 2020 data breach • Says there was ‘very limited’ access to customer data • Whistleblower charges there was larger exposure of confidential information
The public was kept in the dark about a 2020 data breach of a Jamaica Public Service Company (JPS) billing platform that left confidential customer information wide open on the Internet, a whistleblower has revealed. The platform was developed by...
The public was kept in the dark about a 2020 data breach of a Jamaica Public Service Company (JPS) billing platform that left confidential customer information wide open on the Internet, a whistleblower has revealed.
The platform was developed by the Amber Group.
The JPS data breach occurred almost four months before a similar lapse in the Government’s pandemic management website JAMCOVID – also developed by Amber – which left hundreds of thousands of sensitive personal information exposed on the Internet.
It is unclear how long the JPS data had been exposed and how many customers were impacted, as details about the extent of the October 2020 cybersecurity breach were never made public, according to the whistleblower.
Responding to questions submitted by The Sunday Gleaner about the incident, JPS, the country’s largest electricity distributor, confirmed that more than two years ago, there was a “minor breach on a test platform that had a small data set”.
JPS Media and Public Relations Manager Audrey Williams said this resulted in “very limited access to some customer data”.
“At no time has customers’ email information or credit card information ever been exposed. In fact, JPS does not even have the credit card information of customers, and therefore cannot access same,” Williams said in an email response on Friday.
She also released excerpts from a statement JPS issued to “a member of the media” on February 24 last year in which the utility company acknowledged receiving a report of “a potential data leakage on our mobile platform”.
When the “minor breach” was confirmed, JPS did not notify customers.
“We would not have deemed it necessary to send out a notification to the entire customer base for such a small data set, which in no way compromised sensitive information,” Williams explained.
‘ACCIDENTALLY STUMBLED UPON’
The whistleblower, however, who is an IT practitioner, rubbished the assertion by JPS of “a minor breach on a test platform” and painted a different picture of the type of information that was left in the open.
The whistleblower provided The Sunday Gleaner with screenshots of the MyJPS online platform at the time of the breach, which showed personal data such as names, email addresses and ‘hash’ password for JPS customers.
“This means that they are visible, but they are not in clear text,” said the whistleblower, referring to the exposed ‘hash’ passwords.
Other confidential customer data that were left unprotected included addresses, credit card information, account numbers and taxpayer registration numbers, the whistleblower charged.
“This is something that was accidentally stumbled upon. The first person who uncovered it was actually paying an electricity bill for their grandmother and typed in MyJPS.MyJPS.net instead of MyJPSonline.com and ended up there,” said the whistleblower, explaining how the lapse was first discovered.
“You can’t pay a bill on a test platform.”
Michael McNaughton, managing director of the Amber Group, confirmed that the JPS platform was developed by his company, but sidestepped questions about the breach.
“Anything associated with the app you have to talk to the JPS,” McNaughton told The Sunday Gleaner.
United States-based online newspaper TechCrunch first reported the security flaw on the JAMCOVID website and application in February last year.
It exposed more than 70,000 negative COVID-19 lab results, over 425,000 immigration documents authorising travel to the island – including identity and passport information – and some 250,000 quarantine orders dating back to June 2020, according to the report by TechCrunch.
The publication said it found cloud storage with data that was “unprotected and without password”.
The Amber Group said in a statement to this newspaper at the time that “we are confident this was a completely isolated occurrence”.
RED FLAGS
Pointing to the similarities in the data breach of the JPS and JAMCOVID applications, last week the whistleblower raised a number of red flags about the platform that was developed for the utility company.
As an example, the IT practitioner said a fundamental guiding principle in the construction of a new web application is to ensure that the new uniform resource locators (URL) are password-protected.
But this was not the case with the JPS applications, the whistleblower charged.
“The URL path to these files and folders was not secured properly on the server so anyone who clicked could browse the file structure of the web application and then from there they could access data that should not be accessed,” the whistleblower explained.
“So, this was not something that was maliciously exploited. This was just an unsecured app. A child could have done this.”
Further, the whistleblower said this vulnerability should have been caught during the quality assurance phase of the software development.
“It’s like you build a house, you paint it and then during a walk-through you are like ‘where are the doors? We forgot to put on the doors’,” the whistleblower explained.
The JPS spokeswoman said “the moment” the company became aware of the breach, immediate action was taken to mitigate the risk.
Further, she said JPS does intrusion testing, audits and updates of its protection capabilities on a regular basis.
“There is no company in the world that is completely immune to cyberattacks, but JPS has put in the necessary protection to mitigate these risks. JPS takes protection of its customer data very seriously,” Williams said.