Thousands of personally identifiable information (PII) is in danger of being exposed to the public as the Department of Foreign Affairs (DFA) deployed a misconfigured system for its tracking solutions.
The passport tracking system, CRD application, and pending application trackers of the DFA could expose the PII of users, including complete name, passport number, email address, and mobile number. The misconfiguration was accidentally found by John Dometita, who messaged us on FB. He was searching for someone on Google when he was redirected to the blank tracking system form of the DFA after clicking the search results. Dometita assumed that the page might have been loading data, or worst, developers might have hard-coded sensitive information and could allow people to see user data. His assumption was correct. By just opening the developer tool in a normal browser, any user could access the PII of users in the DFA tracking systems.
"This is a clear sign of misconfiguration," says Manila Bulletin Data Security Officer Christian Niel Angel. He added that agencies processing sensitive information like the DFA should have a separate system where the applicants can track their passport status. It is not recommended to store sensitive data in spreadsheets as cases like this can happen, thus exposing the data. "What happened, I believe, is that there was no proper checking before the deployment of the DFA tracking systems," Angel added.
Using a spreadsheet as a database is not a sound programming practice. It is essential to have a secure way to store data, and Excel is not intended for that. John Dometita called out this DFA mistake and said that if developers insisted on using Excel as a database, they needed to remove the PII or minimize it.
Another problem that we found is that the API key is included in the request when users access the DFA tracking system. The publicly available API key allows anyone to access the whole data in the spreadsheet. Also, the system is misconfigured as it allows to query the entire applicants' data.
A Manila Bulletin reporter contacted the DFA about this incident. We are still waiting for their statement about the issue. We have also informed the National Privacy Commission about the possible exposure of the PII of thousands of users.