eVisa Indonesia

Summary

Indonesia's e-visa system experienced a glitch in October 2024 that inadvertently exposed passport details of travelers including Australians visiting Bali. At least three separate Australian travelers reported being able to view full names, dates of birth, passport numbers, and photos of strangers when scanning QR codes on their visa documents.

Attack Vector

A system misconfiguration in Indonesia's e-visa platform caused multiple travelers to be allocated identical document numbers, allowing them to view each other's sensitive information through the visa verification QR code system. The flaw was not a deliberate cyber attack but rather a technical anomaly in the visa-on-arrival application system processing tens of thousands of daily applications.

Consumer Impact

Affected travelers could view complete passport information of other visitors, including full names, dates of birth, passport numbers, and passport photos. One Melbourne traveler reported seeing details of two other Australians, while another Australian saw information belonging to two Chinese tourists. An immigration supervisor at Bali airport confirmed the issue had been "going on for a while" and affected widespread travelers, not isolated cases.

Response

Indonesia's immigration department in Jakarta acknowledged the problem and confirmed they are working to fix the system anomaly. The Australian Department of Foreign Affairs and Trade confirmed that passports involved in the data exposure remain safe to use for international travel and identity verification. Despite the exposure, Indonesian immigration officials noted the challenge of addressing the issue while processing tens of thousands of visa-on-arrival applications daily.