The Freedom of Information website of the Philippines, where users can request for government documents, is suspected of having been breached and data of users who previously used the site are leaked.
According to a local columnist, Wilson Chua, the ID he used on the government website www.foi.gobv.ph was leaked and people can now search for it online using “eFOI ID.”
The National Privacy Commission (NPC) is looking into the possible “gaps” in the interface of the website that may have caused the leak, one of the agency’s commissioner said Saturday.
Mon Liboro, a commissioner from the National Privacy Commission said that the agency is looking at the website’s interface because there might be some gaps in the design, “in a way the process was offered or uploaded.
“It’s a case of our FOI frontliners, meaning the PCOO (Presidential Communications Operations Office), apparently overdid [the] transparency angle or aspect of this FOI service,” he said.
The commissioner assured that his agency is looking at how the frontliners have missed securing the data.
Following a recent law on Freedom of Information, the FOI website allows Filipinos to request for any data about government transactions and operations. A scanned copy of any government-issued identification card is required from anyone who seeks data through the website.
Liboro added that the attachment files, in this case, the scanned copy of government IDs, were now taken down but said that his office is still “measuring the extent of this incident.” An investigation is in place to determine the cause of the leak.
Nonetheless, the commissioner downplayed the extent of the data breach, citing that such incident “do happen” when rolling out innovations.
“The PCOO is a very young organization. The FOI itself is a nascent concept that is being offered, so this part of the development. […] Sometimes, these gaps do happen. You don’t get it perfect on the first try. We learn from this incident,” he said.
OFFICIALS WILL BE HELD LIABLE
While the Department of Information and Communications Technology believe that the data leak is an isolated incident, the government agency, tasked to regulate anything related to information and communication technology including the internet, does not rule out the possibility of holding some of the government officials involved in the FOI website’s development and management will be held liable for the data leak.
“If there is really a breach, if there is really negligence on the part of the administration, then ther are laws that will take care of that,” said DICT Assistant Secretary Allan Cabanlog.
As a response to the incident, many civil society groups questioned the need to require identification documents in FOI requests. The organization Democracy.net.ph believes that this part of the process is the ultimate reason for the breach – if the site does not require ID’s, there are no ID’s that would be leaked.
“Global best practice for FOI is that an ID is not required for FOI transactions, why is an identity required on requesting information from the government?” Asked Pierre Tito Galla, co-founder of Democracy.net.ph.
Galla pointed out that government websites have standards that are “all over the place” and that “no one set stardard, no policy in design being implemented.”
If the leak is indeed a data breach, the Philippines adds to a long list of governments that have experienced some sort of data leak and registry data breaches in the recent years. Many tech experts have warned governments that they are targeted by a multi-national operation that is meant to collect data from their servers that the hackers would eventually sell to the highest bidders.
Only recently, a group of hackers named Whitefly was named by a security research agency to be behind the infamous SingHealth data breach. The agency said that the attack on Singapore’s health insurance agency is part of wider global operation that targets government institutions, telecom providers, energy companies, and other vulnerable organizations in South East Asia and Russian Territories.
A few weeks ago, an exposed database was also discovered by cyber security researchers that include Chinese women’s identifiable data such as names, addresses, phone numbers, and “BreedReady” statuses that were generated from a municipal data registry in one of the towns in China. While the breach was eventually proven to be a university project, it still exposed the data of Chinese women without their consent.