As governments scrambled to lock down their populations after the COVID-19 pandemic was declared final March, some international locations had plans underway to reopen. By June, Jamaica turned one of many first international locations to open its borders.
Tourism represents about one-fifth of Jamaica’s economic system. In 2019 alone, 4 million vacationers visited Jamaica, bringing hundreds of jobs to its three million residents. But as COVID-19 stretched into the summer time, Jamaica’s economic system was in free fall, and tourism was its solely approach again — even when that meant on the expense of public well being.
The Jamaican authorities contracted with Amber Group, a know-how firm headquartered in Kingston, to construct a border entry system permitting residents and vacationers again onto the island. The system was named JamCOVID and was rolled out as an app and an internet site to permit guests to get screened earlier than they arrive. To cross the border, vacationers needed to add a detrimental COVID-19 check outcome to JamCOVID earlier than boarding their flight from high-risk international locations, together with the United States.
Amber Group’s CEO Dushyant Savadia boasted that his firm developed JamCOVID in “three days” and that it successfully donated the system to the Jamaican authorities, which in flip pays Amber Group for added options and customizations. The rollout seemed to be successful, and Amber Group later secured contracts to roll out its border entry system to at the least 4 different Caribbean islands.
But final month TechCrunch revealed that JamCOVID uncovered immigration paperwork, passport numbers, and COVID-19 lab check outcomes on near half 1,000,000 vacationers — together with many Americans — who visited the island over the previous 12 months. Amber Group had set the entry to the JamCOVID cloud server to public, permitting anybody to entry its knowledge from their internet browser.
Whether the info publicity was brought on by human error or negligence, it was an embarrassing mistake for a know-how firm — and, by extension, the Jamaican authorities — to make.
And which may have been the tip of it. Instead, the federal government’s response turned the story.
A trio of safety lapses
By the tip of the primary wave of coronavirus, contact tracing apps have been nonetheless of their infancy and few governments had plans in place to display screen vacationers as they arrived at their borders. It was a scramble for governments to construct or purchase know-how to know the unfold of the virus.
Jamaica was certainly one of a handful of nations utilizing location knowledge to observe vacationers, prompting rights teams to lift considerations about privateness and knowledge safety.
As a part of an investigation right into a broad vary of those COVID-19 apps and providers, TechCrunch discovered that JamCOVID was storing knowledge on an uncovered, passwordless server.
This wasn’t the primary time TechCrunch discovered safety flaws or uncovered knowledge by our reporting. It additionally was not the primary pandemic-related safety scare. Israeli spyware and adware maker NSO Group left actual location knowledge on an unprotected server that it used for demonstrating its new contact tracing system. Norway was one of many first international locations with a contact tracing app, however pulled it after the nation’s privateness authority discovered the continual monitoring of residents’ location was a privateness threat.
Just as we’ve got with every other story, we contacted who we thought was the server’s proprietor. We alerted Jamaica’s Ministry of Health to the info publicity on the weekend of February 13. But after we offered particular particulars of the publicity to ministry spokesperson Stephen Davidson, we didn’t hear again. Two days later, the info was nonetheless uncovered.
After we spoke to 2 American vacationers whose knowledge was spilling from the server, we narrowed down the proprietor of the server to Amber Group. We contacted its chief govt Savadia on February 16, who acknowledged the e-mail however didn’t remark, and the server was secured about an hour later.
We ran our story that afternoon. After we revealed, the Jamaican authorities issued an announcement…
