Some background on our story yesterday. TechCrunch discovered the exposed data as part of an investigation into COVID-19 apps, and worked to identify the source and notify them of the breach — as we've done before when we've found security issues. (1/)

techcrunch.com/2021/02/17/jam…
We reached out Jamaica's Ministry of Health on Saturday (Feb 13) to make contact. We got a response on Sunday from spokesperson Stephen Davidson asking for more information. We sent details of the exposed server that evening. Davidson did not respond. Server remained open. (2/)
During this time we continued to investigate the breach, and on Tuesday (Feb 16) spoke to two Americans whose data was exposed on the server. They helped to narrow down the source of the breach and the owner of the server — a Jamaican government contractor, Amber Group. (3/)
I reached out to Amber Group's CEO Dushyant Savadia that afternoon (two days after we emailed the Ministry of Health) and a short time later the exposed data was secured. "We will be in touch shortly," said Savadia. I followed up again today, but still have heard nothing. (4/)
About an hour after our story went out, Jamaica's Ministry of National Security issued a statement (read it here: jis.gov.jm/jamcovid-secur…) that the security lapse was "discovered on February 16." Except it wasn't: the Ministry of Health knew about it days earlier. (5/)
Statement adds: "We have contacted travelers whose data may have been subject to the vulnerability." I've seen no evidence of this yet and nobody I've spoken to has received a notification either. At least half a million people's data was exposed. (6/6)

techcrunch.com/2021/02/17/jam…
This is the email chain of my correspondence with the Ministry of Health. beta.documentcloud.org/documents/2048…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Zack Whittaker

Zack Whittaker Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zackwhittaker

30 Dec 20
New: Spyware maker NSO Group used real phone location data on thousands of unsuspecting people when it demoed its new COVID-19 contact-tracing system, dubbed Fleming, to governments and journalists, researchers say. That data was exposed earlier this year. techcrunch.com/2020/12/30/nso…
The Fleming demo had an unprotected back-end database, exposing the location data. Researchers at @ForensicArchi examined that data and concluded that it was not dummy data as NSO claimed, "but rather reflects the movement of actual individuals.

From May: techcrunch.com/2020/05/07/nso…
You can read (and watch) @ForensicArchi's full technical report here, including the maps, graphs, and visualizations which explain their findings (while preserving the anonymity of the individuals whose location data was fed into NSO’s Fleming demo.)

forensic-architecture.org/investigation/…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!