By Makhulu

What a fiasco! What a terrible, terrible fiasco and a major embarrassment for the Government of Jamaica, indeed for all Jamaicans.

The Amber Group, headed by the irrepressible and enthused Dushyant Savadia built the JamCOVID portal in a matter of days for the Jamaican Government in order to monitor inbound travelers into the country during this time of COVID.

It was heralded with much fanfare and the government announced it was a gamechanger in the fight against the coronavirus.

Amber became a tech company with a big future and promised to teach young Jamaicans coding in order to offer them gainful employment –  a very commendable initiative.

Last week, American website TechCrunch revealed that the JamCOVID portal had some major security issues and that the data of thousands of travelers including Americans was exposed. This discovery was reported to both Amber and the Government which, in a a state of paralysis, took too long to respond.

On becoming clear that there was a major security issue, rather than definitively stating that errors allowed for people’s data to be exposed, the Government chose to focus on the breach being now secure and that all was well.

Amber in turn took days to explain what transpired and why its technology was compromised.

The TechCrunch revelation, through security editor Zack Whittaker, has left a lot of egg on the faces of both the Government and the Amber Group with questions being asked about whether the Andrew Holness Administration properly vetted this new company or if it too hastily accepted what was being offered?

All too often, companies in Jamaica do not confront communications issues up front, choosing to spin and curate their responses to minimise perceived backlash. There are a lot of ‘communication specialists’ in Jamaica these days with laptop in hand and busy ‘crafting the message’.

With the Government on the backfoot, everyone wants to know what the hell happened here and how come such a major data breach could have occurred?

A techy revealed that a school-boy error took place, allowing access to vital information on many people.

When Amber did eventually deign to respond to this egregious mishap, the wording was the typical press release jargon, an ambiguous head scratcher leaving one none the wiser.

“We immediately and successfully addressed the issue regarding the JamCOVID-19 platform on the Government of Jamaica’s cloud server hosted on the Amazon Web Services.

“Subsequently, a leading international cybersecurity provider has verified to the Government of Jamaica that there are no vulnerabilities that could lead to any form of data exposure or breach at the infrastructure and Amazon Web Services level. Amber’s preliminary investigation also confirms this, and we are confident this was a completely isolated occurrence.”

OK. It’s clear that Amber accepts no culpability and assures all that it will not occur again. In fact, the Jamaican Government went as far as to rebuff TechCrunch’s claim that thousands of persons personal data was leaked, saying resolutely that it was just 700.

ANOTHER BREACH?

Days later, another apparent breach was exposed, though Savadia yesterday dismissed claim, arguing the exposed .env file being described as a second vulnerability was file containing expired information, along with links that had previously been made redundant.

So, what is going on? Does Amber know what it is doing? Does it have the required expertise? Is its credibility now shot?

The Ministry of National Security said yesterday that a comprehensive review of all aspects of the site, application and associated databases is being conducted and that there will be further strengthening of security features.

But the country still requires more forthcoming answers.

Jamaica aspires to developed world status in nine years’ time; this is more a banana republic approach – head in the sand, subterfuge and sophistry.

Fool me once, shame on you; fool me twice, shame on me. How could Amber leave so many people’s information unprotected with files being exposed on the Internet? If people were worried about NIDS before, they should be panicking now. It’s a point well made by Jimmy Moss-Solomon of the Mona School of Business. He has long doubted Jamaica’s ability to safeguard people’s personal details digitally. Right here is his reason.

The Government is wrong to focus on the fact that the exposed data was  subsequently secured and should concentrate its efforts on why there was a breach, not once, but possibly twice.

Savadia took 48 hours to respond to the first breach and by all accounts couldn’t be contacted– that’s way too long.

He has a duty to take us all through the company’ s methods to secure data and must demonstrate why it is worthy to be a government contractor capable of ensuring Jamaican citizens’ safety.

The Government must now do all it can to allay the fears of Jamaicans after this digital catastrophe, ensuring the right checks and balances are put in place. Technology must be carefully handled and should not be carelessly employed to the detriment of Jamaicans by companies that are not held to account.