The Ministry of Health of Indonesia (Kemenkes) has finally raised its voice regarding the data leakage of the users of eHAC application. As a result, it is estimated that the data belonging to 1.3 million users are vulnerable to being accessed by anyone.
Head of the Ministry of Health’s Data and Information Center, dr. Anas Maruf, explained that the alleged data leak occurred in the old eHAC application. He said that the application has not been used since July 2, 2021.
“Ever since July 2, 2021, we have started the PeduliLindung application, where eHAC has been integrated into. Once again I emphasize, the system in the old eHAC is different from the eHAC system incorporated in PeduliLindung. The infrastructure is different.” he explained at a press conference, Tuesday (8/31).
Furthermore, Anas stated that the data leak in the old eHAC was probably from one of their partners. However, he did not elaborate on the identity of the “partner” in question.
“This has been known by the government and currently the government has taken preventive measures, as well as making further efforts, involving the Ministry of Communications and Informatics (Menkominfo) and the authorities,” he added.
Lastly, Anas asked the public to delete the old eHAC application from their device and replace it with the eHAC feature in the PeduliLindung application.
vpnMentor research team stated that eHAC data is stored on servers that can be accessed by anyone. The available data varies, ranging from personal identity, address, telephone number, travel information, medical records, to the status of COVID-19. The total data that is exposed reached more than 1.4 million with a size of file 2 GB.
Moreover, there is data from 226 hospitals and clinics across Indonesia, as well as the name of the person responsible for testing each traveler, the doctor who runs the test, information on how many tests are performed each day, and data on what types of travelers are allowed in the hospital.
Researchers warn that data on eHAC can be misused for crimes, such as fraud, hacking, to disinformation. In addition, hackers can use this data to target phishing victims via email, text, or phone calls.
After coordinating with the Ministry of Health to BSSN, the new action will take place on August 24, 2021 by turning off the eHAC server.