Increased online usage during the COVID-19 pandemic has exposed cybersecurity and data privacy risks. Hackers have developed social engineering schemes focused on inducing employees to open “coronavirus-related” messages infected with malware. In addition, enterprises and governments are facing data privacy concerns regarding the collection and disclosure of personal information such as health data which is monitored to control COVID-19’s impact. Saint Lucia will also need to be proactive and address cybersecurity concerns. In this blog-post, we will explore some of the cybersecurity and privacy gaps from the ongoing COVID-19 response. Interestingly, the current administration, in their UWP 2016 manifesto, stated the following: “Ensure that adequate cyber security is provided on all public networks.”
Amber Group Data Breach
In mid-February there were reports of the exposure of hundreds of thousands of traveller’s sensitive data from the Jamaica Immigration online system. “A security lapse by a Jamaican government contractor has exposed immigration records and COVID-19 test results for hundreds of thousands of travelers who visited the island over the past year. The Jamaican government contracted Amber Group to build the JamCOVID19 website and app, which the government uses to publish daily coronavirus figures and allows residents to self-report their symptoms. The contractor also built the website to pre-approve travel applications to visit the island during the pandemic, a process that requires travelers to upload a negative COVID-19 test result before they board their flight if they come from high-risk countries, including the United States. But a cloud storage server storing those uploaded documents was left unprotected and without a password, and was publicly spilling out files onto the open web. The app also requires that travelers record short “check-in” videos with a daily code sent by the government, along with their name and any symptoms. The server exposed more than 1.1 million of those daily updating check-in videos.”
The Jamaica government issued the following official statement: “A security vulnerability associated with the file storage service on the JAMCOVID-19 application was discovered on February 16, 2021. The vulnerability was immediately rectified upon discovery.” It is important to note that Amber Group has also developed related software for Saint Lucia and disclosed the following in October 2020. “The British Virgin Islands, St Lucia, Turks & Caicos Islands and Grenada have joined Jamaica in implementing the electronic health-risk, travel authorization system developed by Amber, which declined to disclose the terms of the agreements. This comes as the Caribbean gets ready for the traditional start of the winter tourist season in mid-December. Turks & Caicos was deployed a month or so ago, and Grenada, BVI and St Lucia are all going fully live on Monday,” said founder and Group CEO of Amber Dushyant Savadia.”
The cybersecurity practices from Amber Group leave a lot to be desired and outlined here. “Aside from us looking like a joke, there are important questions. Something as basic as a password protection was not inputted? I don’t believe that could just happen” said Gavin Dennis, a consultant and director of G5 Cyber Security Company. “On reports that the critical aspects of the application took three days to develop, Dennis said: “This might not be enough time to do proper due diligence to ensure security and privacy is built into the system.”
Some questions arise as a result of this cybersecurity incident including the following:
· Does Saint Lucia use any technology designed and implemented by Amber Group?
· If so, are they vulnerable to any of the issues reported on the JamCOVID19 website?
· Has Saint Lucia secured the traveler’s data that are required to be submitted as per the COVID-19 protocols?
· Are any cybersecurity assessments completed on platforms such as DigiGov?
· Has the government completed the following as mentioned in the UWP 2016 manifesto “Implement the National ICT Strategy that was developed in 2010”. The 2010 National ICT Strategy stated “Increase security and data protection of medical information”.
Update on Saturday February 27th
There were further reports of additional security vulnerabilities on the JamCOVID website which resulted in it being taken down. “Jamaica’s JamCOVID app and website were taken offline late on Thursday following a third security lapse, which exposed quarantine orders on more than half a million travelers to the island. JamCOVID was set up last year to help the government process travelers arriving on the island. Quarantine orders are issued by the Jamaican Ministry of Health and instruct travelers to stay in their accommodation for two weeks to prevent the spread of COVID-19. These orders contain the traveler’s name and the address of where they are ordered to stay. But a security researcher told TechCrunch that the quarantine orders were publicly accessible from the JamCOVID website but were not protected with a password. Although the files were accessible from anyone’s web browser, the researcher asked not to be named for fear of legal repercussions from the Jamaican government. More than 500,000 quarantine orders were exposed, some dating back to March 2020.”
This incident clearly shows the challenges and possible repercussions of rushed deployment of critical software.
Personal Email Address Use
It is also concerning that numerous official government websites continue to use personal email addresses (gmail.com) that are likely controlled by one person. Why are these official government entities not using a Saint Lucia government email addresses? Some current examples include the following:
· Earlier COVID-19 protocols — “All persons travelling to Saint Lucia (3 years and over) are also required to submit PCR test results by email prior to departure. Test results should be sent to TravelSaintLucia@gmail.com and cc to email@example.com”
Who has access to firstname.lastname@example.org? Let us hope that the tens of thousands of traveler’s data that were email to email@example.com are not compromised in a similar manner to Amber Group Data Breach?
Lack of HTTPS on Government’s Homepage
It is baffling that in 2021 the Saint Lucian government still continues to have a website that does not use HTTPS by default. HTTPS prevents websites from having their information broadcast in a way that’s easily viewed by anyone snooping on the network. When information is sent over regular HTTP, the information is broken into packets of data that can be easily “sniffed” using free software. This makes communication over an unsecure medium, such as public Wi-Fi, highly vulnerable to interception. Current statistics indicate that 70+% of website use HTTPS by default in 2021.
It is even more concerning since other critical applications such Tax Filing are linked from the insecure Government of Saint Lucia’s homepage and can result in the disclosure of sensitive information. Is cybersecurity a concern for this administration?
From the evening Saturday February 20th to the evening of Sunday February 21st the COVID-19 dashboard appeared to be down with the following message “Bandwidth Limit Exceeded — The server is temporary unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later” Has any explanation been provided by the government for this downtime? Was the COVID-19 dashboard under a Denial-Of-Service attack or was it an oversight from the web developers?
COVID-19 Vaccine Pre-Registration
The Ministry of Health is attempting to have Saint Lucians pre-register to express interest regarding the COVID-19 vaccine. This pre-registration form is being hosted on Survey Monkey which is a popular platform to host such surveys but seems very hastily deployed in contrast to the earlier one launched by Grenada a few weeks ago.
The government had months to prepare this vaccination preregistration form and some basic improvements are the following:
· Brief description about the survey and the entity conducting the survey on the survey page and how sensitive health information will be protected.
· Add contact information of Ministry of Health if any potential survey respondent has questions
· Fix the formatting for Male and Female so that they appear on one line.
· Use checkboxes instead of “Remarks” since presumably the Ministry of Health wants to capture what underlying illnesses the user may have as per the public vaccination plan and what is typically requested at the doctor’s office.
Update on Sunday Feb 28th.
Cybersecurity and data privacy are critical areas for everyone in today’s world. We need to ensure that the authorities consider cybersecurity and data privacy as a top priority and we devote time and resources to securing all of our data.
Please reach out to firstname.lastname@example.org with any suggested topics for future articles or if you would like to help write or edit our blogposts. Like or Follow our Facebook Page or at Medium or Twitter.