Coronavirus pandemic
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
Indonesians queue up to receive a Covid-19 vaccine dose. After the government imposed vaccination requirements to enter many venues, there was a spike in the number of fake inoculation certificates, causing concerns about the credibility of the programme. Photo: Reuters

Hong Kong’s Indonesian workers fear data security, fake vaccination record scandals will fuel distrust at the border

  • The e-HAC app exposed the data of 1.3 million users, while President Joko Widodo’s jab record was also leaked, amid calls for better data protection laws
  • As forged jab certificates spread, workers hoping to enter Hong Kong, South Korea and Japan are concerned about distrust in the vaccination programme
Concerns are growing among Indonesian migrant workers that their Covid-19 vaccine certificates will not be accepted by some destinations due to a lack of trust in the country’s immunisation programme.

With Hong Kong, South Korea and Japan now allowing entry to domestic helpers vaccinated in Indonesia, recent scandals over data security and forged vaccine certificates in the Southeast Asian nation could potentially hamper the placement of migrant workers already suffering from months of pandemic-induced border closures.

“[The proliferation] of fake vaccine certificates in Indonesia would cause distrust towards Indonesian migrant workers’ [proof of vaccination]. This is [our] concern,” said Eni Lestari, spokeswoman for the Asian Migrants Coordinating Body in Hong Kong.

“Even without the [cases of] fake vaccine certificates, the Hong Kong government does not really trust the vaccination records issued in the Philippines and Indonesia,” she said.

The distrust in Indonesia’s vaccination programme is not only an issue for those seeking to work abroad, but has also created a headache for the government.

It recently emerged that e-HAC, the country’s now-defunct test-and-trace mobile app for travellers, exposed the data of 1.3 million users because it lacked proper data privacy protocols.

Not even President Joko Widodo was spared. His vaccine certificate was leaked online last week, displaying his citizenship registration number, or NIK, his date of birth and his immunisation dates.

Coronavirus: Widodo’s jab record leaked

To add to the credibility concerns, there have been repeated forgeries of vaccination certificates. Last week, Jakarta police arrested four suspects for such forgeries, two of whom had created 93 fake vaccination documents through Indonesia’s national Covid-19 tracking app called PeduliLindungi. One of the perpetrators was a civil servant who had access to input data. The app needs to be shown before travelling or entering shopping malls or government buildings.

Fake vaccine certificates have also been found in Central Java, Southeast Sulawesi and Bali.

Jabs rule change allows Hongkongers in Philippines, Indonesia to return

Trubus Rahadiansyah, a public policy expert with Trisakti University in Jakarta, said the proliferation of fake vaccine certificates was the result of a hastily-made government policy requiring people to show proof of inoculation to go about their daily activities.

“This policy is forced as the immunisation programme in Indonesia is not equal between regions,” he said. “The requirement to use vaccination proof for any kind of need spurs an opportunity to score [cash] for some individuals.”

Trubus warned that the forgeries could foster widespread distrust of the country’s immunisation programme. “The international community might ask, ‘is it true that 65 million Indonesians have been vaccinated?’”

It is also hard to verify the vaccination data as this has been “monopolised by the government”, he said.

Health care workers inject Indonesians with doses of a coronavirus vaccine during a vaccination drive in Depok. Photo: EPA-EFE

Weak data protection

Indonesia is not alone in dealing with counterfeit vaccine certificates, with cases reportedly found in Hong Kong, Malaysia, the Philippines and France. But only a few countries have allegedly exposed the personal data of millions of people through a Covid-19 tracking app.

In July, cybersecurity experts from US-based vpnMentor found that the personal data of 1.3 million e-HAC users was stored in an open server, allowing them access “with zero obstacles”.

The personal data includes Indonesian and foreign users’ national identity, passport and phone numbers, as well as their Covid-19 test results.

Asia’s rich, powerful grab Covid-19 booster shots at common folk’s expense

According to the vpnMentor website, the team immediately notified the Indonesian Ministry of Health, the country’s Computer Emergency Response, and Google, the app’s hosting provider, but none of them responded.

“By early August, we had not received a reply from any of the concerned parties. We tried to reach out to additional governmental agencies, one of them being the BSSN [National Cyber and Crypto Agency], which was established to carry out activities in the field of cybersecurity. We contacted them on August 22 and they replied on the same day. Two days later, on August 24, the server was taken down,” the company said.

The Health Ministry last month acknowledged that the data leak was sourced from the old version of the e-HAC app.

The ‘hero’ of Asian financial crisis now faces a grim reality in Indonesia

“Now, e-HAC is integrated into the PeduliLindungi app, whose server and infrastructure is located in the national data centre and [secured by] the Ministry of Communications and Informatics and BSSN,” Anas Ma’ruf, head of the health ministry’s data and information unit, told reporters.

The e-HAC leak underlines how much of the government-managed information and technology system still does not adhere to the principles of personal data protection, said Wahyudi Djafar, executive director at the Jakarta-based Institute for Policy Research and Advocacy (Elsam).

“It’s important for the government to immediately audit the personal data protection in the PeduliLindungi system to give a safety guarantee to the public. They cannot just say ‘your data is safe, we store it in a national data centre’. That does not mean anything,” Wahyudi said.


This is not the first time that a massive data leak has hit the Indonesian government-backed system. In May, the personal data of 279 million Indonesians was sold in an online forum for the price of 2 bitcoin. The data belonged to the policyholders of national health care and insurance agency, BPJS.

Last year, personal data of 2.3 million Indonesians was breached via the General Elections Commission (KPU) database, as well as the data of over 230,000 Indonesian Covid-19 patients, which ended up on the dark web.

Last week, personal data protection advocacy group Periksa Data said it will file a lawsuit to a Jakarta administration court against BPJS, the Ministry of Communications and Informatics and BSSN over the data breaches.

If Indonesia wants to boost its digital competitiveness, it needs to pass the Personal Data Protection bill
Wahyudi Djafar

Wahyudi also pointed out that the PeduliLindungi app does not have proper user authentication methods. Widodo’s vaccination certificate was easily accessible by anyone who knew his NIK, which was made available on the election commission’s website during the 2019 presidential campaign.

Indonesia has yet to pass a comprehensive Personal Data Protection bill, which has been delayed after first being proposed in 2014. The lack of stringent personal data protection could hinder Indonesia’s ambition of being Southeast Asia’s largest digital economy, Wahyudi said.

“If Indonesia wants to boost its digital competitiveness, it needs to pass the Personal Data Protection bill, which could balance the need to protect people’s rights to privacy and the companies’ economic interests,” Wahyudi said.

This article appeared in the South China Morning Post print edition as: Workers worry over distrust of vaccine records