A user shows the government's Covid-19 tracing app, PeduliLindungi, in Jakarta on Saturday, Aug 28, 2021. (Antara Photo/Dhemas Reviyanto)

Gov't Launches Investigation After Data of 1.3m Reportedly Leaked From Its Covid-19 Tracking App


AUGUST 31, 2021

Jakarta. The Ministry of Health said in a press conference that there are indications that their Covid-19 eHAC application has been breached, following reports that 1.3 million users’ data had been compromised.

Anas Maruf, the head of data and information at the Ministry of Health, said at a press conference on Tuesday that the ministry was taking “necessary actions” to investigate the breach and prevent the impact of the data leak. 


The ministry response came one day after vpnMentor, a website built by cybersecurity experts, published their findings on August 30th.

A research team at vpnMentor reportedly found that eHAC app developers “failed to implement adequate data privacy protocols and left the data of over 1 million people exposed to an open server” when they discovered the database on 15th July 2021. 

“Our team discovered eHAC’s records with zero obstacles, due to the lack of protocols put in place by the app’s developers,” they said, “It was completely unsecured and unencrypted.”

The eHAC app, short for electronic health alert card, is the government-mandated mobile application created to track Covid-19 within the country. The application was mandatory for travelers entering Indonesia (foreigners and locals alike) and those traveling domestically. 

It was created in 2021 by the Ministry of Health, and there were over 1.4 million records stored within it. Of those 1.4 million, approximately 1.3 million data users were leaked, according to vpnMentor. 

The data breached included Covid-19 test data, passenger IDs, hospital IDs, eHAC account data, and more. Beyond personal data, the data from 226 hospitals and clinics were also reportedly leaked. 

Personal data accessed included the passenger’s names, ID numbers, mobile phone numbers, jobs, passport details, hotel details, and more. The user’s photographs were also exposed. 

On the data breach, vpnMentor said that “Had the data been discovered by malicious or criminal hackers…the effects could have been devastating”. Such consequences include leaving users vulnerable to “a wide range of attacks and scams.”

According to their report, their team contacted the Ministry of Health, CERT agency, and Google in July without any responses. 

They finally were able to receive a response after reaching out to the  National Cyber and Encryption Agency (BSSN), Indonesia's cyber security agency, on August 22nd, and the server was finally taken down two days later.  

Suspected Third-Party Vulnerability

Health ministry's Maruf said that the eHAC server had not been in use since 2nd July 2021, even before vpnMentor discovered the database. The alleged breach was supposedly caused not by a system leak from a third party. 

Despite this, he maintains that the data breach is only alleged, as proof can only be concluded after a digital forensic audit has been thoroughly carried out.

Within the press conference, the Ministry of Health urged Indonesians to delete the old eHAC app, and download the government's new app, PeduliLindungi, which has been integrated with the eHAC system, to “utilize the eHAC features.”

Maruf assured the security of PeduliLindungi, saying that “the digital infrastructure exists within the National Data Center, and is guaranteed security by the relevant supporting ministries, namely Kominfo [the Ministry of Communication and Information] and BSSN." 

In response to the press conference, Indonesian netizens took to the internet to express their outrage over the data leak and the government’s response. Commenters criticized that the scheduled press conference started late, that Ma’ruf himself took a sudden phone call in the middle of it, and lastly, that no apology was made on behalf of the government for the alleged data breach. 

This was the second major data breach involving the government's body this year. In May, virtually data on all members of the national health insurance scheme, BPJS Kesehatan, was available on the dark web, exposing more than 279 million records that contain personal information like identity numbers, social security numbers, phone numbers, and tax identification numbers, to family members, blood type, and salaries.