Secuna, a local internet security firm, DICT’s Cybercrime Investigation and Coordination Center, Wilson Chua of Dagupan based Bitstop and the Manila Bulletin TechNews shared information over the weekend to identify possible data leaks that could be used for identity theft.
Data found include passport numbers and names, vehicle plate numbers with owners’ address, unredacted notarized contracts that show personal information, school IDs, government issued IDs and other documents with personal identifiable information.
Those who want to see these contents do not even need to directly dip their fingers inside the servers as these data could be accessed from outside and away from the safe confines of the concerned agencies’ servers.
The Manila Bulletin did not publish immediately pending information from DICT’s Asec. Allan Cabanlong, the country’s Executive Director for Cybercrime Investigation and Coordination Center (CICC). The CICC immediately informed the concerned government agencies upon learning of the possible leak.
While FOI downplays impact of data leak on its website, more government servers were found to have publicly accessible personal data.
1) eFOI
The Electronic Freedom of Information website has helped a lot of researchers in getting previously difficult if not impossible information about the government’s projects and contracts. To get any information, you need to register and submit proof of identification. Just recently, Wilson Chua, TechNews columnist of the Manila Bulletin found out that his ID was used in a scam, upon checking he found out that it came from a link that was traced to the website of eFOI.
FOI in its defense put the blame on Mr. Chua and said that he inadvertently uploaded his ID in a public page. Mr. Chua however disagreed. He said that all info given to any government institutions need to be protected and not made publicly available. In his case, the eFOI made his SSS ID available online, it contains every info that could be used to steal his identity.
FOI also said that only those who were asked to “re-upload” their IDs are affected, we however found some users who uploaded their IDs on a secured page but were still publicly viewable.
To mitigate the damage, FOI said they removed the tab for attaching files and protected all identifiable documents in their website. We checked the site and as of this writing, we can still see phone numbers and email addresses of the requesting parties.
Dondi Mapa, former Deputy Commissioner of National Privacy Commission of the Philippines said that if only the FOI office did a good Privacy Impact Assessment or PIA, they could have “identified these kinds of unintended consequences”.
2) LTO
The Land Transportation Office has thousands of names, plate numbers and in some cases addresses of vehicle owners that are publicly available. The information that could possibly leak was discovered last Saturday.
As of this writing, personal data are no longer available but some cache still remains and could be publicly viewed. The DICT CICC is closely coordinating LTO and so far has been successful in securing the exposed data.
3) DFA
Data containing passport numbers, names and delivery dates could be publicly viewed over the weekend. The DFA Information Technology group immediately took action when they were informed by CICC. This is an example of how private and government institution could effectively work together to secure sensitive information.
4) MWSS
MWSS Contracts, personal information of employees and other identifiable information were also publicly available few days ago. MWSS has copies of contracts online in full including the details of the parties involved. As of this writing, we were informed that MWSS is now taking necessary actions to solve the issue.
AJ Dumanhug, Secuna’s CEO and UP System IT Security Analyst said that problems like this could have been avoided if government agencies perform regular vulnerability assessment and penetration tests. Regular VAPT will help these agencies discover insecure endpoints or assets that could have leaked sensitive information due to simple misconfigurations.
Wilson Chua also said that government agencies need to conduct Privacy Impact Assessment as soon as possible to avoid this kind of problem from happening again. He is also encouraging other victims to inform the National Privacy Commission and file necessary complaints about the incident.
Believing that critics against the National ID System would use this issue, Chua said that he is still in favor of the National ID System expecting the government to learn from these latest incidents.
Atty. Francis Euston Acero, Division Chief, Complaints and Investigation Division of the National Privacy Commission said that if you think you have been a victim of personal information leak, you need to contact the person or entity responsible for holding your data confidential and demand to know what happened if this fails you can email the NPC at complaints @privacy.gov.ph you can also download the complaint form at https://www.privacy.gov.ph/complaints-assisted/