Amber Group breaks silence on personal data exposure
The Amber Group has broken its silence on the exposure of personal data on thousands of travellers on the government’s COVID-19 website (JAMCOVID) it developed.
But the website developer is saying nothing about how such a lapse could have occurred and why allegedly months-old data were in storage and not destroyed, as promised by authorities.
“We are confident this was a completely isolated occurrence,” the group said in a statement to The Gleaner.
For days, this newspaper has been seeking responses from its leadership, and subsidiary, Amber Innovations, which created the $57 million application and website it handed over to the Office of the Prime Minister (OPM) for free.
Neither the government nor Amber has specifically said what exactly occurred in the case now the subject of a criminal investigation into what the Ministry of National Security has called an “alleged breach”.
That investigative angle has sent confusing signals, suggesting the government may be pursuing a bad actor, especially given that the US specialist online newspaper TechCrunch, which broke the story on February 17, said it found the cloud storage “unprotected and without password."
Along with providing information on COVID-19, JAMCOVID allows users to enter personal data, including medical records, before they are given approval to enter Jamaica. The application is also used to track the movement of those placed in quarantine.
The US news report said more than 70,000 negative COVID-19 lab results, more than 425,000 immigration documents authorising travel to the island – including identity and passport information – and more than 250,000 quarantine orders dating back to June 2020 were at risk.
Amber has not said how many files were exposed, although Senator Matthew Samuda, minister without portfolio in the security ministry, said Friday in a Nationwide Radio interview that “just under 700” persons were impacted.
“Having gone through the initial vulnerability, he would have seen metadata. If he wants to classify that as personal data that’s up to him. If he went further than that, then, that would a breach of the Cybercrimes Act,” Samuda said of TechCrunch writer Zack Whittaker, reiterating that impacted persons have been notified.
Amber said it “immediately and successfully” addressed the issue with JAMCOVID, which is on the government’s cloud server hosted on the Amazon Web Services.
The company has also pointed to an assessment done by a “leading” international cybersecurity provider, which has reportedly told the government that “there are no further vulnerabilities” that could lead to a data breach or exposure.
Amber CEO defends company's integrity
Founder and chief executive officer of Amber Group, Dushyant Savadia has also launched a defence of his company’s integrity, asserting that it is adhering to global standards of data protection.
“Amber’s data protection and security systems remain our highest priority in ensuring our compliance with international best practises that govern information security management. We are working together with the Government of Jamaica and independent entities to investigate the cause of this occurrence,” the statement said.
Questions on its monitoring mechanism; provision of services to other government entities; data security system; costs; speed in building JAMCOVID; data storage policies; history in digital technology, among others, were not answered, as Amber said it could not provide responses in time for publication.
Saturday’s Amber statement came four days after the government said the issue was ‘discovered,' a timing that has been criticised by some.
“It is important for all entities that when there is a cybersecurity incident that must be disclosed, they remain transparent to maintain the trust and confidence of users,” said Gavin Dennis, a consultant and director of G5 Cyber Security Company.
He added: “Blunders and vulnerabilities are normal, but how we handle them when they happen is critical to moving forward.”
On reports that the critical aspects of the application took three days to develop, Dennis said: “This might not be enough time to do proper due diligence to ensure security and privacy is built into the system.”
Whether the requisite due diligence was also done by the government after receiving the application is also not clear and officials have declined to comment.
Savadia’s experience and training in cybersecurity and technology administration are also under scrutiny.
His profile on the online business and employment platform, LinkedIn, makes reference to a bachelor’s degree in business and commerce from the Stewart School Bhubaneswar in India.
He is described on the Amber Group’s website as an “internationally acclaimed global entrepreneur, eminent humanitarian, public speaker and a technology disruptor” who, in 2015, launched the group in Jamaica.
The India-born businessman moved here in 2012, after a dozen years in the United Kingdom where he taught yoga and meditation as part of the stress-management and happiness push of the Art of Living Foundation.
Savadia’s life swung from being an alcoholic teen to working as a waiter and ultimately a senior manager in training and development at a global business processing firm where he discovered the Art of Living and later joined full time in 2000, according to a recent a Trailblazer interview he did with journalist Tamara McKayle.
The Amber Group has six subsidiaries, including the vehicle tracking service Amber Connect; Amber Innovations that provides analytic services; Amber Pay and Amber Aviation – all of which give the group considerable access to personal data.
Amber’s growing local profile has seen it winning contracts and partnerships with the government and private-sector entities, most recently seen in the January launch of a coding academy presided over by Prime Minister Andrew Holness.
“Aside from us looking like a joke, there are important questions. Something as basic as a password protection was not inputted? I don’t believe that could just happen,” said Dennis, an expert with over a decade’s experience in cybersecurity training.
“It is a real nightmare especially because of the timing as we are trying to get Jamaicans to trust us with NIDS,” he said, referring to the voluntary national identification system that the government is pursuing which has gotten push-back for being invasive.
Questions for government
Whether the government acted fast enough to address the exposure is also among the unanswered questions.
The national security ministry’s February 17 statement said the issue was “discovered” the previous day, but Whittaker, who wrote the TechCrunch story, said he contacted a health ministry official on February 13, and got an acknowledgement and request for more information the following day.
The Holness administration is also facing questions about whether any of the exposed personal data should have been destroyed, as required under the law.
Questioned on that issue Thursday, Health Minister Dr Christopher Tufton, said he it would be premature to comment given the ongoing criminal investigation.
“I will allow that investigation to determine a response in its entirety around what happened and the nature of the data, what type of data if necessary. I really can’t give any additional information around the data - when it was destroyed or what was destroyed,” he told a press conference.
Back in September 2020, the prime minister said the JAMCOVID app was “not designed” to store tracking information and “that was not the scope that was given to the developer."
“We tried our best to ensure that the privacy and the rights of individuals are respected,” Holness told journalists, promising to “double-check” with the police and other authorities to ensure there was “no unnecessary retention of personal data and that we are compliant with our own laws regarding data protection."
Under the law, most recently amended on February 1, data gathered for electronic monitoring “shall be deleted upon the expiration of the quarantine."
That provision in the Disaster Risk Mitigation Act would have been in place from as early as June 15, 2020, well after the roll out of the application and the month Whittaker said exposed data stretched back to.
The Jamaican Parliament approved a data protection law in 2020 which, if in effect, would have required that personal data processed for a purpose, not be kept longer than necessary.
Tech watchers are also closely monitoring whether the issue has exposed the Jamaican government to lawsuits or penalties based on data protection rules in the European Union, the United States or other jurisdictions.
“We very much hope that the government will address any weakness in the system appropriately and in a timely manner,” said Ambassador Marianne Van Steen, local head of the EU, whose General Data Protection Regulation (GDPR) includes fines of $3.6 billion (20 million euros) or four per cent of annual income breaches affecting EU citizens.
The Jamaican taxpayers may escape any penalty, however.
“In relation to the GDPR legislation - applicable in and enforceable by European Union Member States, this does not apply to the systems put in place by the government of Jamaica,” the diplomat said.
The US Embassy in Kingston was brief in its response provided by Bobby Adelson Jr, public affairs officer.
“Yes, we are aware of the reports and have been engaging with the Government of Jamaica. Protection of US citizens abroad, including data protection and privacy, is our top priority."
Follow The Gleaner on Twitter and Instagram @JamaicaGleaner and on Facebook @GleanerJamaica. Send us a message on WhatsApp at 1-876-499-0169 or email us @onlinefeedback@gleanerjm.com or editors@gleanerjm.com.