A data breach impacting 1.3 million users of a government contact-tracing tool has heightened alarm in Indonesia about information security, following the online disclosure of the president’s COVID-19 immunization certificate.
President Joko Widodo’s immunization records were accessed and widely posted on social media through the app PeduliLindungi (care protect), prompting concerns among experts about the government’s commitment to data security.
Digital analyst Ismail Fahmi said the leak showed how easy it was to view or potentially use another individual’s vaccination certificate, even that of a head of state.
“If there was protection, there would be an investigation into why this problem persists, why personal records can be easily mined,” he said.
“But there is no such protection.”
Health minister Budi Gunadi Sadikin on Friday said officials’ records could no longer be accessed.
Some social media users expressed dismay over flaws in the application, which was last month made mandatory.
“I trust the government’s apps less and less after this,” said a Twitter user under the handle @delrellove.
Another user, Denny Siregar, who has more than a million followers, said: “Our data protection is very low. Even the president’s got leaked.”
The application includes private biodata and displays vaccination dates and types administered. Its use is required for air travel and entering malls.
Fadjroel Rachman, a presidential spokesman, said his office regretted the breach.
“We hope that relevant authorities can conduct certain procedures to prevent similar incidents from happening, including the protection of the people’s data,” he said.
A data protection bill was submitted to parliament last year but has yet to be passed.
The government announced on Tuesday that it was looking into a bug in an earlier version of the app that exposed the personal information of 1.3 million people. L4N2Q219C
It happened just a few months after a state insurer was accused of breaching social security data.
“The problem remains the same; there is no comprehensive strategy to safeguard citizen data,” said Damar Juniarto of the digital advocacy group SAFEnet.
“There should be constraints on being able to review other people’s data, let alone the president’s, with strong privacy standards and design.”