Filipino IT firm STRADCOM Corporation, the proponent of the multi-billion peso Land Transportation Office (LTO) project that automates the agency’s service to driver license holders and motor vehicle registrants across 400 offices nationwide, said it no relation or connection with lisensya.info, which is allegedly involved in the “hacking” of the LTO site.
“As support to the LTO that has been our long-time principal client in serving the motoring public, we attest that any information used to provide or enable the so-called services has never been sanctioned, condoned or even known by us, nor were we previously aware of its operation, organization, ownership, or purpose,” said STRADCOM Spokesperson Lorie Bundoc.
In a statement, Bundoc said that STRADCOM is conducting an audit of its systems and infrastructure to further secure the integrity of the LTO’s database.
“We have requested a meeting with LTO officials to allow us to provide updates and material developments of this activity in further detail,” said Bundoc.
STRADCOM added that they too were alarmed over reports related to a data breach involving license and vehicle records of the LTO.
Bundoc said that while the company has recently reached a milestone of around 300 million LTO customer transactions since the beginning of its contract with the government. STRADCOM finds it alarming how any computerization project can fall prey to isolated cases of computer hacking seemingly more common in the online economies of the new normal.
The LTO itself has initially called out in its social media page, lisensya.info, as an unauthorized website for using the LTO logo on its webpage and misrepresenting the agency by providing online inquiry services for the authentication of driver’s licenses and motor vehicles.
STRADCOM also said that it learned of such website and cautioned against possible misrepresentation of LTO’s service/s on Monday, November 9, and immediately proceeded to seek possible vulnerabilities and to inform the LTO on the matter.tr
When asked if STRADCOM is party to the ongoing data breach investigation by the National Privacy Commission, Bundoc only said that “Even if LTO is the direct victim we are the proponent of the LTO IT Project and thus we assist/support the LTO in its service to the public among whose records got retrieved inappropriately.”
Bundoc did not also reply to question suggesting that the system STRADCOM installed at LTO could be weak making it vulnerable to hackers.
On Wednesday, Nov. 11, the National Privacy Commission said it was processing the cease and desist order and with that the lisensya.info site was expected to be taken down at the latest today, Nov. 12. NPC did not answer to messages asking for confirmation if it had effected the blocking or if the site has been successfully taken down. Bundoc, however, noted that the site lisensya.info was no longer able to accept any new license or vehicle-related authentication requests.
The LTO Data Protection Officer of the agency filed its initial breach notification report with the NPC Tuesday, November 10, 2020. The NPC also said that a privacy notice is also subject to compliance and does not automatically prompt a stop processing/shutdown.
The site lisensya.info, which claims to be a motor vehicle authenticator, remained accessible while the LTO-run website “lto.net.ph,” which provides the status of the availability of license plates, is down or unavailable. A total of 12.725 million vehicles were registered with the LTO in 2019.
“The NPC shall verify the incident and look into the extent of possible harm on LTO’s data subjects to determine how to best resolve the situation,” Privacy Commissioner Raymund E. Liboro said.
“NPC is coordinating with the Data Protection Officer (DPO) of the LTO for us to be provided with more details of the incident,” he added.
Last week, the LTO issued a statement assailing lisensya.info for using the LTO logo on its website to establish a false connection with the agency.
The questionable website provided a “Motor Vehicle Authenticator” which, through the mere input of the motor vehicle file number by anyone, would show sensitive information, such as the make, plate number, engine number, chassis number, registration expiry date, and name of the owner.
Netizens claimed the data the site provided were accurate, raising suspicions of a leak in LTO’s database as these are the types of information the LTO collects from motorists for registration.
Based on results of NPC’s initial investigation, lisenysa.info has neither a privacy notice nor any contact details of its owner.