The Jamaica Computer Society (JCS) says it is surprised by the Government’s “rash” response to the uncovering of security lapses in the JamCOVID website and app. 

JCS Vice President Jason Scott, speaking with Our Today this morning (February 25), said that while developer Amber Group Ltd has assured Jamaicans that the discovered vulnerabilities have been fixed, a level of transparency is needed to restore trust and repair the country’s damaged reputation.

“The weight of the situation is that the information was just left open to the wider internet, where anyone could have downloaded it and possibly use it in the future for malicious purposes—like creating fake identities or to sell these identities on the dark web, which is a common practice,” Scott explained.

“As a standard, normally, when a report like this is found out – and reported in good faith – [the Government] is bringing a lot of attention to something that could have been handled discreetly,” he continued.

“Think of it like a stranger whispering in your ear that your zipper is down. You zip up, thank them and move on; that’s usually how we want the handoff to be. But in this case, when people reached out in good faith, the response is like ‘Yow! Weh yuh mean??’,” Scott added.

TechCrunch senior security editor, Zack Whittacker, who initially highlighted the massive JamCOVID lapse, was seemingly on the receiving end of a thinly veiled threat from State Minister of National Security Matthew Samuda. 

Samuda, speaking about a criminal investigation into the detected gaps in JamCOVID, argued during a radio interview on Nationwide News Network: “Having gone through the initial vulnerability, he would have seen metadata. If he [Whittaker] wants to classify that as personal data that’s up to him. If he went further than that, then, that would be a breach of the Cybercrimes Act.”

TechCrunch, in a February 17 exposé, reported that a cloud storage server storing the uploaded documents was left unprotected and without a password, and was “publicly spilling out files onto the open web”. TechCrunch found another apparent lapse days later, where an exposed environment variables (.env) file, was picked up by an independent security researcher, who told the technology specialist media organisation that the file was found in an open directory on the JamCOVID website.

The consequences could be great for the Jamaican Government if persons affected by the data breach sue the State, according to Scott.

“The immediate ramifications, once it was made public, the first thing that came to my mind was the GDPR (General Data Protection Regulation), where leaking or exposing personal information can attract a very significant fine if you’re operating outside the Eurozone,” he argued.

Checks by Our Today show that fines associated with breaches of the GDPR within the EU range from €10 million (JM$1.85 billion) to €20 million ($3.7 billion).

“More locally, our Data Protection Act stipulates how [personal] data is to be controlled and the process by which disclosure should be made once a breach has been identified,”  the JCS deputy president contended.

In the meantime, Scott explained that data breaches are commonplace on the internet. However, due to the scope of the JamCOVID security lapse, the perceived lack of transparency is a cause for concern.

“To be clear, things like this happen on a regular basis, so, this is not a one-off situation. People have found vulnerabilities on other websites and reported them discretely and the matters handled,” he disclosed.

“The JCS believes every [aspect] of this investigation should be open and transparent, especially with the public regarding this matter. The JCS has several member companies that specialise in cybersecurity and are willing to assist the Government,” Scott told Our Today.

Dealing with nearly 1.7 Terabytes of exposed data—arguably among the largest breaches in recent times—the Government is yet to request any external help, Scott noted. 

“To the best of my knowledge, no, not as yet. The Government hasn’t reached out in this particular instance but they have reached out before for similar things. There is an open relationship between the JCS and government entities on cybersecurity and technology matters,” Scott said.

“But the gravitas of the [issue] requires that a level of transparency and open communication happens, which is not what we are seeing. There has been no accountability about the vulnerabilities for one, and the way it is being handled comes across as very hostile towards the security community,” he added.

Amber Group founder and CEO, Dushyant Savadia, in a statement on February 23, called the allegations “deeply concerning”. 

The group said it was troubled by mainstream reports, which it argued were “seemingly defamatory”, that it was proceeding with a legal team to determine its next steps.