Exploit: Misconfiguration
electronic Health Alert Card (eHAC): COVID-19 Test & Trace Platform
Risk to Business: 1.802 = Severe
A storage snafu has exposed a big pool of personal data from Indonesia’s test and trace tool electronic Health Alert Card (eHAC). Researchers discovered that an unsecured Elasticsearch database was being used to store over 1.4 million records from approximately 1.3 million eHAC users. Both foreigners and Indonesian citizens must download the app, even those traveling domestically within the country and it contains data personal data for travelers including a person’s health status, personal information, contact information, COVID-19 test results and other information.
Individual Risk: 1.5882 = Severe
The data involved in the leak include user IDs including passports and national Indonesian ID numbers, COVID-19 test results and data, hospital IDs, addresses, phone numbers, URN ID numbers and URN hospital ID numbers. For Indonesians, their full names, numbers, dates of birth, citizenship, jobs, and photos were included in the leaked data. Private information about Indonesian hospitals and government officials who used the app was also exposed.
How it Could Affect Your Customers’ Business: A misconfiguration of this scale is embarrassing and demonstrates a slapdash security system that won’t fill users with confidence.
Source: Zdnet