Following the discovery of serious privacy and security flaws in the 1SAMBAYAN membership app (1Sama Ako) last weekend, a Statement on the 1Sama Ako Data Breach was issued by Br. Armin Luistro, FSC, 1SAMBAYAN Convenor/Head of Membership Committee.

According to Br. Armin, upon receipt of information related to the data breach last Saturday, 12 June 2021, the system was immediately placed in maintenance mode to prevent further access to their data. He added that the culprit was the API (Application Programming Interface) used for the app’s latest version and has been patched already. The former DepEd Secretary also said that the “hacker” (the guy who disclosed the data breach through Manila Bulletin’s Tech News Editor Art Samaniego) was a professional with malicious intent.

I tried installing the 1Sama Ako app on my spare Android device Monday afternoon, but the sign-up/create an account page is no longer functioning properly. The app was created by a certain Creative Synergy, Inc. (whose website defaults to a non-HTTPS version), the same people behind the Too Close social distancing app, FMA – Know Your Rights app and the V4Leni app. Google search points to Vicente “Enteng” Romano III as the CEO of Creative Synergy, Inc. Romano served as Tourism Undersecretary during the last Aquino administration. He resigned after assuming responsibility for the “Pilipinas Kay Ganda” controversy.

On the same statement, 1SAMBAYAN asked interested volunteers to download the Membership Application Form from their website https://1sambayan.org with instructions to send accomplished forms to an email address.

This archaic approach to encourage volunteer sign-ups made me think if the IT people behind the coalition thought of using Google Forms or Microsoft Forms instead of asking people to download an Excel worksheet, fill it up, and send it back to them via email. Haven’t they thought that this could more of a potential cybersecurity nightmare on their part?

Also, where can we find the Privacy Policy or Privacy Statement related to this data collection process? Where will the information collected be used? Just asking for a friend.

My Take on the 1SAMBAYAN Website

First and foremost, this is not something political from my side. I have high respect for some of the people behind the coalition. It is part of my advocacy to promote online privacy, security, and safety.

Surfing to the 1SAMBAYAN website (or to any website), the first thing I check is what the EFF Privacy Badger (install it as an add-on in your favorite web browser) has blocked. For this website, it has blocked one (01) potential tracker – Google Analytics.

Whoever is the acting Data Privacy Officer (DPO) of 1SAMBAYAN should ensure that things like advising website visitors, especially those who will accomplish their membership application form, on what kinds of data are to be collected, processed, stored, and for which valid purpose is the data collection being done.

All the best to our friends at 1SAMBAYAN.