While governments scrambled to close their population after the COVID-19 pandemic was declared in March, some countries have planned to reopen. By June, Jamaica had become one of the first countries to open its borders.
Tourism represents about one-fifth of Jamaica’s economy. In 2019 alone, four million travelers visited Jamaica, providing thousands of jobs to its three million inhabitants. But as COVID-19 stretched into the summer, Jamaica’s economy was in free fall, and tourism was the only way back – even at the expense of public health.
The Jamaican government has entered into an agreement with Amber Group, a technology company headquartered in Kingston, to set up a border system that will allow residents and travelers to return to the island. The system was named JamCOVID and was implemented as an app and a website to screen visitors before they arrive. To cross the border, travelers had to upload a negative COVID-19 test result to JamCOVID before boarding their flight from high-risk countries, including the United States.
Dushyant Savadia, CEO of Amber Group, boasted that his company developed JamCOVID in ‘three days’ and that it effectively donated the system to the Jamaican government, which in turn paid Amber Group for additional features and adjustments. The rollout turned out to be a success, and Amber Group later won contracts to expand its border access system to at least four other Caribbean islands.
But last month, TechCrunch revealed that JamCOVID exposed immigration documents, passport numbers and COVID-19 lab test results to nearly half a million travelers – including many Americans – who have visited the island in the past year. Amber Group made the JamCOVID cloud server accessible to the public so that everyone could access its data from their web browser.
Whether the exposure to data was caused by human error or negligence, it was an embarrassment for a technology company – and added the Jamaican government – to make it.
And that might have been the end of it. Instead, the government’s response became the story.
A trio of security lapses
By the end of the first outbreak of coronavirus, contact detection apps were still in their infancy, and few governments had plans to shield travelers as they arrived at their borders. It was a scramble for governments to build or acquire technology to understand the spread of the virus.
Jamaica was one of a handful of countries that used location data to monitor travelers, asking legal groups to raise concerns about privacy and data protection.
As part of an investigation into a wide range of these COVID-19 applications and services, TechCrunch has found that JamCOVID stores data on an exposed, passwordless server.
This was not the first time that TechCrunch found security flaws or exposed data through our reporting. Nor was it the first pandemic-related security breach. Israeli spyware maker NSO Group has left true location data on an unprotected server it used to detect its new contact tracing system. Norway was one of the first countries to have a contact tracking app, but pulled it out after the country’s privacy authority found that the continuous tracking of citizens is a privacy risk.
Just like with any other story, we made contact with who we thought was the owner of the server. On the weekend of February 13, we informed the Jamaican Ministry of Health of the exposure to data. But after giving specific details about the exposure to Stephen Davidson, ministry spokesman, we did not hear from him again. Two days later, the data was still exposed.
After talking to two US travelers whose data leaked from the server, we restricted the owner of the server to Amber Group. We contacted its CEO, Savadia, on February 16, who acknowledged the email but did not comment, and the server was secured about an hour later.
We led our story that afternoon. After we published it, the Jamaican government issued a statement claiming that the decay was ‘discovered on February 16’ and ‘corrected immediately’, and neither was true.
Contact Us
A tip? Contact us securely with SecureDrop. Find out more here.
Instead, the government responded by launching a criminal investigation into whether there was any “unauthorized” access to the unprotected data that led to our first story, which we see as a thinly veiled threat that aimed at this publication. The government said it had made contact with its overseas law enforcement partners.
When reached, an FBI spokesman declined to say whether the Jamaican government had contacted the agency.
Things did not get much better for JamCOVID. In the days following the first story, the government hired a cloud consultant, Escala 24×7, to assess the safety of JamCOVID. The results were not released, but the company said it was confident there was ‘no current vulnerability’ in JamCOVID. Amber Group also said the decay was a ‘completely isolated event’.
A week has passed and TechCrunch has warned Amber Group about two more security lapses. Following the attention of the first report, a security researcher who saw the news of the first expiration found exposed private keys and passwords for JamCOVID’s servers and databases hidden on its website, and a third expiration quarantine order for more if half a million travelers were wasted. .
Amber Group and the government claim to be facing “cyberattacks, hacking and rogue players.” In fact, the app just wasn’t that secure.
Politically inconvenient
The decay of security comes at a politically awkward time for the Jamaican government as it seeks to launch a national identification system, or NIDS, for the second time. NIDS stores biographical data about Jamaican nationals, including their biometrics, such as their fingerprints.
The repeated attempt comes two years after the government’s first law was repealed by Jamaica’s Supreme Court as unconstitutional.
Critics have argued that the JamCOVID security expiration is the reason for abandoning the proposed national database. A coalition of privacy and rights groups cites recent issues with JamCOVID as to why a national database is ‘potentially dangerous to Jamaican privacy and security’. A Jamaican opposition party spokesman told local media that “there was not much confidence in NIDS in the first place.”
It’s been more than a month since we published the first story, and there are many unanswered questions, including how Amber Group obtained the contract to build and manage JamCOVID, how the cloud server was exposed, and whether security testing was performed before the introduction.
TechCrunch emailed both the office of the Jamaican Prime Minister and Matthew Samuda, a minister in Jamaica’s Ministry of National Security, asking how much, if anything, the government had donated or paid to Amber Group to run JamCOVID management and what security requirements, if any, have been agreed for JamCOVID. We received no response.
Amber Group also did not say how much it earned from its government contracts. Amber Group’s Savadia did not want to disclose the value of the contracts to one local newspaper. Savadia did not respond to our emails with questions about the contracts.
After the second security breach, the Jamaican opposition party demanded that the prime minister release the contracts governing the agreement between the government and Amber Group. Prime Minister Andrew Holness told a news conference that the public “should know” about government contracts, but warned that “legal obstacles” could prevent disclosure, such as for national security reasons or when “sensitive trade and commerce information” could be disclosed.
This came days after the local newspaper The Jamaica Gleaner had a request to obtain contracts revealing the salaries that government officials refused by the government under a legal clause preventing the disclosure of an individual’s private affairs. Critics argue that taxpayers have the right to know how much public servants are paid from public funds.
The Jamaican opposition party also asked what had been done to notify victims.
Prime Minister Samuda initially downplayed the decline in security, claiming that only 700 people were affected. We searched social media for evidence but found nothing. To date, we have found no evidence that the Jamaican government has ever informed travelers of the security incident – either the hundreds of thousands of travelers whose information has been exposed, or the 700 people who, according to the government, have been notified but not yet in has not been made public.
TechCrunch emailed the minister to request a copy of the notice the government allegedly sent to victims, but we received no response. We also asked the Amber Group and the Jamaican Prime Minister’s Office for comment. We do not hear back.
Many of the victims of the safety decline are from the United States. Neither of the two Americans we spoke to in our first report were notified of the offense.
Spokesmen for the Attorneys General of New York and Florida, whose information about the residents was disclosed, told TechCrunch that they have not yet heard from the Jamaican government or the contractor, despite state laws requiring that data must be violated.
The reopening of Jamaica’s borders has cost. The island saw more than a hundred new cases of COVID-19 in the ensuing month, the majority of which arrived from the United States. From June to August, the number of new cases of coronavirus every day went from tens to tens to hundreds.
To date, Jamaica has reported more than 39,500 cases and 600 deaths due to the pandemic.
Premier Holness has reflected on the decision to reopen its borders in parliament last month to announce the country’s annual budget. He said the country’s economic downturn last time was “driven by a huge 70% contraction in our tourism industry.” More than 525,000 travelers – residents as well as tourists – have arrived in Jamaica since the opening of the borders, a figure that is more than the number of traveler records found on the JamCOVID server in February.
Holness defends the reopening of the country’s borders.
“If we did not do this, the revenue from tourism would have been 100% instead of 75%, there would have been no recovery in employment, our balance of payments deficit would have worsened, overall government revenue would have been threatened, and there would have been no argument should be made about spending more, ‘he said.
Both the Jamaican government and Amber Group have benefited from the opening of the country’s borders. The government wanted to revive its declining economy, and Amber Group enriched its business with new government contracts. But none of them paid enough attention to cyber security, and the victims of their negligence deserve to know why.
Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.