The Government has initiated a criminal investigation into an apparent breach of the JAMCOVID application.
This was announced in a statement issued by the Ministry of National Security Thursday evening and came mere hours after the Opposition People’s National Party (PNP) had called for a proper probe into the matter.
“When a security vulnerability is identified in respect of a government system, the government has a duty to investigate and rectify it,” the statement said.
It added that: “Under Jamaican law, we also have a duty to ensure that any unauthorised access to data is investigated and prosecuted. Under section 3 of the Cybercrimes Act, ‘any person who knowingly obtains, for himself or another person, unauthorised access to any programme or data held in a computer commits an offence’”.
The statement said the matter has been referred to the Communication Forensics and Cybercrime Unit of the Jamaica Constabulary Force and the Major Organised Crime and Anti-Corruption Agency for further investigation.
While stating that a full investigation was now underway, the security ministry has outlined the following:
– The database is hosted on an AWS cloud server account owned by the Government of Jamaica.
-An independent review has been commissioned of the security of the system. Results of this review are expected within the next 24 hours.
– The systems of the Passport, Immigration and Citizenship Agency were not in any way affected, compromised or exposed by the vulnerability.
Meanwhile, the Administration said it stands by the JAMCOVID-19 application.
“The application has been a critical element of our Controlled Entry programme and has served us well in our management of the pandemic. The identified vulnerability has been rectified and the security protocols around the application will continue to be monitored to ensure that they meet the highest standards,” it stated.
Following news of the data breach, the Opposition PNP, through its spokesman on science, technology and commerce, Hugh Graham, demanded a thorough investigation into the matter, despite assurances from the government that the matter had been rectified.
Graham said the Minister of National Security, Dr Horace Chang must be prepared to address the Parliament about reports that sensitive data of Jamaicans and other visitors were left on an unsecured server.
Graham, in a statement, pointed to reports which surfaced on Wednesday which he noted “indicate that data ranging from COVID-19 test results uploaded to the VisitJamaica website, quarantine orders, and even 440,000 signatures were accessible to the general public for an unknown amount of time”.
“It’s easy to say the data is now secure’ but we need to know what caused this breach in the first place, and the public (must be) assured that this will not recur. We’re inviting people to come to Jamaica and upload sensitive data through this application, so we must guarantee our visitors that their private data will be safe,” said Graham.
Commenting further, the first-term Member of Parliament said: “With the kind of information that was left open to potential abuse, we cannot rule out malicious intent without a clear, transparent, thorough investigation. It can’t be that you find out about this kind of a breach and a few hours later you say ‘at present there is no evidence’ to suggest malicious intent”.