The country's transportation agency is now on a hot seat as thousands of personal information of drivers and vehicle owners were processed and saved by a website pretending to be an official LTO page. Thousands of users were tricked into submitting what looks like harmless information but later used to get their personal data. Simply put, personally identifiable information under the responsibility of the Land Transportation Office of the Philippines were downloaded by unauthorized individuals.
Here's what happened:
November 5: The Land Transportation Office warned users not to give personal information to unverified links and accounts. In a Facebook post, the agency said that LTO does not own or manage the website www.lisensya.info. https://www.facebook.com/lto.cdmpao/posts/4945108275506974
November 8: At around 8am, white hat hacker and Secuna co-founder AJ Dumanhug warned users not to use lisensya.info. I immediately coordinated with Mr. Dumanhug and got additional info on how the data were taken from unsuspecting users. https://atom.hackstreetboys.ph/lisensya-website-and-why-you-should-never-use-it/
November 8: At 10:48am, I posted a story in Manila Bulletin website saying that LTO exposes thousands of information due to misconfiguration. https://mb.com.ph/2020/11/08/lto-exposes-thousands-of-information-due-to-misconfiguration/
November 8: At 1:36pm on the same day, I asked the National Privacy Commission through its Viber Group Chat about it.
November 9: The next day, at 12:31pm NPC personnel replied that the commission is already aware of the LTO issue.
November 11: The National Privacy Commission issued a press release saying that the NPC will investigate lisensya.info for possible privacy violation.
November 11: NPC personnel confirmed via Viber that LTO breached report was submitted on November 10.
November 12: A cease and desist order was issued by the NPC against lisensya.info with an order to file comments on the issue.
November 13: The Land Transportation Office said that the leaked data is not from them but from Stradcom Corporation, the old IT provider of the agency.
How the breach happened
API or the Application Programming Interface is a software intermediary that allows two applications to talk to each other. When you use apps like Facebook, order food using Grab Food or check your enrollment details in school, you are using API.
API works like a waiter in a restaurant. When you order, say, for example, Baked Alaska in the Cafe Ilang-ilang of the Manila Hotel, the waiter will inform the chef, the chef then will prepare the food for you and give it to the waiter. The waiter will then deliver the food to your table to enjoy. You don't need to know the recipe and the method of how Baked Alaska was prepared to become the most delicious dessert in the Manila Hotel. The waiter is the intermediary between you and the kitchen. That's how API works and using the same principle, that's how hackers exploited the system to gain access to sensitive information.
The unauthorized website was able to get additional information based on valid data like license number with a birthday or the 15 digit MV file number because of the misconfiguration in the API of lto.net.ph that holds the complete data of the driver's license and the vehicle information. When you input your details and click submit, lisensya.info will send it to the API endpoint of lto.net.ph and would ask for additional details about the valid information that you sent. The website lto.net.ph then would check the database and if it finds a match it would reply to your query with details found in its system. Lisensya.info will then save this information, thereby getting a copy of the driver's license info and motor vehicle details. The last count before the owners of lto.net.ph deactivated the site was 9,952 driver's license details and 19,406 motor vehicle data including make, plate number, engine number, chassis number, registration expiry, owner, and whether the vehicle is a private or public utility vehicle.
What went wrong
The Land Transportation Office (LTO) denied that the data leak, which the National Privacy Commission (NPC) is investigating came from the current web portal the agency is using for its Land Transportation Management System or LTMS.
LTO said the website they are currently using for the LTMS is portal.lto.gov.ph, with “.gov.ph” as the standard domain suffix the Philippines uses for all government agencies. The website involved in the data breach is “lto.net.ph.”
The transportation agency further denied LTO's liability and said that a certain Jefferson E. Tronco of Stradcom Corporation registered the domain lto.net.ph
So how did lto.net.ph got the official data from LTO? I asked one of the country's top cybersecurity professionals, AJ Dumanhug about this and he showed me a file from the LTO website.
Memorandum Circular No. 2020-2181 issued on May 9, 2020 with a subject "Implementation of the new Land Transportation Management System (LTMS)" states that:
The existing systems (Stradcom) shall be placed as backup and may only be used in cases such as critical and technical issues, system glitches, among others.
Since the new MVIRS (Motor Vehicle Inspection Reporting System) is still on the testing stage, the existing system (Stradcom) shall be used to process vehicle registration transactions for this reason.
If this is the case, LTO then knew the existence of Stradcom's system which is using lto.net.ph
The memorandum further states that:
The new LTMS shall run in parallel with the existing systems (Stradcom) for two (2) weeks to provide period of adjustments for the transition. Thereafter, all transactions must be processed ONLY in the LTMS. The Stradcom systems shall likewise be placed as backup and may be used in the event the aforesaid issues have been encountered.
Read the memo here https://www.lto.gov.ph/images/ISSUANCES/Memo_Circular/MC_2020-2181.pdf
Mr. Dumanhug pointed out that even if the LTO could be correct in saying that the data leak is not from the current web portal the agency is using for its LTMS, still the LTO has the responsibility to secure the data entrusted to them by the users.
I also asked a friend from the Privacy Commission about this and she asked me to read Chapter VI, Section 21 of The Data Privacy Act of 2012 that states "Each personal information controller is responsible for personal information under its control or custody, including information that has been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation."
Also if the memorandum was followed, the services of Stradcom would have been terminated by June 2, 2020. The breach was discovered in November or five months after the two-week run was supposedly terminated.
For Rene Canlas, a Pinoy cybersecurity specialist and a DPO of a private company, the Land Transportation office should do the following immediately 1. Shut down the server and domain if it's still running or only make it accessible internally. 2. determine the scale of the data breach and if possible determine the identities of those affected. 3. inform the NPC and 4. Admit responsibility and announce these action plans to the public.
Again, while the LTO is passing the blame to Stradcom, the Data Privacy Act of 2012 says that it's the responsibility of the information controller to secure personal info even if it was transferred to a third party for processing. Former NPC executive Francis Acero said that they (the LTO) cannot excuse themselves from fault here by just passing on the blame to Stradcom.
Here are some the important points that we need to think about.
1) Thousands of sensitive personal information from the LTO was exposed.
2) The bad guys exploited the misconfigured API endpoints of lto.net.ph to siphon data.
3) While LTO passed the blame to Stradcom, the Data Privacy Act of 2012 is clear -- LTO is responsible for user data it collected.
4) The LTO gave Stradcom access when it tested the new LTMS, why is LTO blaming Stradcom?
5) The two weeks access given to Stradcom was not revoked, that's why it's still running in November when white-hat hacker and Secuna co-founder AJ Dumanhug found out about the exploit.
6) The LTO learned of the breach on November 5, and reported the incident to NPC on November 10. The NPC said, "The Commission shall be notified within seventy-two (72) hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred." Did the LTO violate the NPC rule for not reporting on time?
One more thing, the LTO needs to clarify why it is still using Stradcom when they have already terminated its service way back in 2013 after paying the 8-billion debt to the IT provider.
Lastly, as a security professional, I find this very disturbing. To test lisensya.info the security researcher needs real data to see how the system would react. What AJ Dumanhug did was search for the words "driver's license Philippines" on Google where he found a lot of driver's license photos shared on social media. Try it, you would be surprised, a high ranking transportation official would be one of the first photos you would see complete with full name and birthday.