Wed | Jun 3, 2026

Editorial | Secure PICA’s data

Published:Monday | September 11, 2023 | 12:07 AM
Dr. Horace Chang (second left), minister of national security (MNS), speaks to the media about accessing the online Immigration Customs C5 form during a tour of the Norman Manley International Airport. Looking on are (from left) Andrew Wynter, CEO, Passpor
Rudolph Brown
Dr. Horace Chang (second left), minister of national security (MNS), speaks to the media about accessing the online Immigration Customs C5 form during a tour of the Norman Manley International Airport. Looking on are (from left) Andrew Wynter, CEO, Passport, Immigration and Citizenship Agency; Alison Stone Roofe, permanent secretary, MNS and Velma Ricketts Walker, CEO, Jamaica Customs Agency.

It was refreshing that the government quickly warned potential users that scammers had mirrored its new online immigration management system and were charging travellers to upload information when the service is supposed to be free.

The urgency with which the national security minister, Horace Chang, acted in this matter is likely not only to save Jamaicans and foreigners hundreds of thousands of dollars, but from the loss of personal data and, potentially, identity theft.

However, the issue again raises, indirectly, questions about the security of the Jamaican Government’s cybersecurity systems, and, in this case, robustness of the firewalls protecting data collected by the Passport Immigration and Citizenship Agency (PICA).

In other words, last week’s suggestion that the PICA system was hacked – rather than mirrored in a counterfeit site – will nonetheless cause concern about the integrity of people’s private information and the danger that is posed when it is compromised.

Happily, what transpired if is not of comparable dimensions, but has echoes of the JamCOVID fiasco of less than three years when information people loaded on a government website about their COVID-19 status as well as data from their passports was inadequately protected and therefore vulnerable to unauthorised searches and theft.

At the time, the government promised a review, and overhaul, of its cybersecurity arrangements as well as threatened to sue or criminally charge the tech magazine and its reporter who highlighted the vulnerabilities. However, nothing was subsequently publicly said of that matter, including, importantly, if anyone was held accountable for the design flaws and management weaknesses that left the JamCOVID site vulnerable.

NOT TOO LATE

In light of the current developments, it’s not too late to publish the findings of any investigation of the JamCOVID affair and of the broader review of the Government cybersecurity systems, particularly with respect to the safety of citizens’ private information.

At the start of this month PICA formally inaugurated a system where all persons travelling, Jamaicans as well as non- residents, have to fill out, and-lodge, their immigration forms online. But according to Dr Chang, immediately as the system went live the system was being cloned and users charged between US$5 and US$35 fee to fill out and lodged their forms. In Canada people apparently paid as much as C$50 per form. In reality, the service is free.

Dr Chang’s initial suggestion was that the site was hacked, rather than copied. It was subsequently clarified that the problem was the latter rather the former.

“...Bear in mind that when you give them information, you are actually giving them personal information that can be used otherwise,” Dr Chang said. Read identity theft.

The minister’s advice to potential users to ensure that the sites they enter have the correct logos and emblems, and to be aware that there is no charge for using the system. That, implicitly – and quite rightly – is about consumers, too, taking personal responsibility.

However, Jamaica is a significant holiday destination. Over three million tourists come to the island annually. Many of these people won’t have known about the scam. Some of them may, unwittingly, place their data at risk. Preventing this is important.

In early 2021, as the COVID-19 pandemic moved into high gear, Jamaica introduced the JamCOVID web portal and app, to which people wanting to travel to the island had to post results of recent tests for the disease and other information by which to track their movements in Jamaica. The data was stored in the clouds by Amazon Web Services (AWS).

LEFT UNPROTECTED

However, an American magazine, TechCrunch, discovered that the “storage server storing those uploaded documents was left unprotected and without a password, and was publicly spilling out files onto the open web”.

“...More than 70,000 negative COVID-19 lab results, over 425,000 immigration documents authorising travel to the island – which included the traveller’s name, date of birth and passport numbers – and over 250,000 quarantine orders dating back to June 2020” were accessible to the public, the publication reported. Additionally, 440,000 images of people’s signatures were also available.

Shortly afterwards, TechCrunch also reported that files with credentials and passwords that would take users to the backend of the system were easily available on the site. At the time, the government played down an obviously monumental cock-up, even as it huffed about going after the hackers who had exposed the weaknesses.

In case, no data was stolen directly from PICA, although it features in both events. It would be expected, therefore, that having been burnt in the past, PICA will now be especially sensitive to the security of its information systems. And perhaps it is, and was.

The agency should therefore give better and further particulars of what has been done over the last two years to protect the information of its clients. The government should also speak about the security of data across the public sector.