“The QR pass system is utilized by essential workers to travel between townships in Yangon during the lockdown, but the portal left the personal data of many Burmese citizens unguarded”
The registration portal for health QR codes that are necessary for domestic travel in Yangon, Myanmar’s largest city, during a nationwide lockdown was subject to a series of cyberattacks last week.
The Health QR Code app that is used by essential workers to travel in the country, Saw Saw Shar, was developed by the COVID-19 Containment and Emergency response ICT Support Group and went online in April. The app functions as a tracing app that logs the travel history of each user and issues reminders about infection hot zones.
Yangon residents, in particular, rely on Saw Saw Shar to issue QR codes that allow them to commute within the commercial capital, where a stringent lockdown is in place. Currently the government only allows essential workers and registered vehicles to move across townships for essential business.
According to the Union of Myanmar Federation of Chambers of Commerce and Industry (UMFCCI), “The [website’s] system suffered cyberattacks damaging its operation. It was suspended on September 27 to undergo system maintenance and prevent damage and then had to be suspended again after relaunching that night due to additional cyberattacks,.”
The system resumed its service on September 28, but attacks persisted. A government spokesman said that: “Such attacks are not acceptable and are criminal acts since this system was created to streamline the reopening of the businesses that are essential for the people in Yangon for food and other services, and to help employees of such businesses systematically commute in the city during the stay-at-home period.”
Cybersecurity experts in Myanmar said that site lacks protection for personal data. One expert, Lynn Htun said that, “Both the site and application were not designed with security in mind at all. The security of the site as well as application was so bad that people with little or no hacking knowledge have been able to exploit the site and are able to extract the data.”
According to Htun, the Saw Saw Shar QR pass portal can provide access to the personal data of people registered into the system and, “There are vulnerabilities such as users being able to view, edit, and replace other users’ data simply by changing the last digits in the URL string. This goes to show no hacking skills were required to misuse the site and that the site and application lack the very basic security provisions.”
Another cyber expert said that the problem with Saw Saw Shar points to the larger problem that, “The authorities do not understand basic principles of data privacy. Most of the ministers and members of cabinet are totally oblivious when it comes to the basics of data privacy, data sovereignty, and data classifications.”
In response to the problems with Saw Saw Shar, a government spokesman said the government would put together an advisory group of Myanmar cybersecurity and web development experts to advise it on issues related to website development and security. A first meeting of the advisory group is being planned for October and the mandate for the advisory group would be to look at all of the government’s crucial portals and then advise it on the steps necessary to improve both citizen access and security of information.