US journalist who broke story on exposed personal data hits back at government

The US journalist who broke the story about the exposed personal data of travellers to Jamaica, provided via the JAMCOVID website and application, is hitting back at the Government of Jamaica, suggesting that it has been targeting him in its investigations of the breach. 

In a Twitter thread in response to a news story published online by The Gleaner today, Zack Whittaker of TechCrunch maintained that the data was left unprotected on an exposed cloud server. He also released a screenshot showing that the cloud server was accessible to the public.

The US news report had said more than 70,000 negative COVID-19 lab results, more than 425,000 immigration documents authorising travel to the island – including identity and passport information – and more than 250,000 quarantine orders, dating back to June 2020, were at risk. 

Amber has not said how many files were exposed, although Senator Matthew Samuda, minister without portfolio in the security ministry, said Friday in a Nationwide Radio interview that “just under 700” persons were impacted.  

Whittaker is also insisting that the government is lying about when it became aware of the breach. The government said it became aware of the situation on February 16, but Whittaker insists that it was days earlier.

He also called the response by the Amber Group, which broke it's silence on the matter to The Gleaner on the weekend, lacking. 

"Amber Group still hasn't named the 'independent entities' it claims to be working with. As such, we (nor can anyone else) can't confirm if this is accurate or truthful. Amber still won't say how this data exposure happened, and hasn't answered any of @jovanthony's questions," he said referring to The Gleaner report by Senior Staff Reporter, Jovan Johnson today (READ: Amber Group breaks silence on personal data exposure)

"The Jamaican government has also launched a criminal investigation into the incident. Instead of restoring trust and being transparent, the inquiry now appears to be on me, the journalist who reported the security lapse to the Jamaican authorities in the first place," he said. 

He called comments made by Samuda "troubling." Samuda had said that what Whittaker would have seen is metadata, which is data that provides a description and information about other data. Samuda then suggested that if Whittaker went further than viewing metadata, then he would be in breach of the Cybercrimes Act. 

"This comment from @matthewsamuda is troubling as it portrays Jamaica as hostile to journalists, and good-faith hackers and security researchers, whose jobs it is to find and help get security issues fixed," said Whittaker. 

"If the Jamaican government prosecutes someone for accessing *public* data, you can't expect good-faith hackers, security researchers, or cybersecurity professionals to ever report a security issue or breach ever again. You can't have it both ways, @matthewsamuda," he tweeted. 

Follow The Gleaner on Twitter and Instagram @JamaicaGleaner and on Facebook @GleanerJamaica. Send us a message on WhatsApp at 1-876-499-0169 or email us @onlinefeedback@gleanerjm.com or editors@gleanerjm.com.