Jan 15, 2019

So, was our data stolen or not?

Foreign Secretary Teodoro “Teddy Boy” Locsin, Jr. dropped a bombshell on Twitter last week, warning about a private contractor who allegedly “took off’ with the personal data of passport applicants after its contract with the government expired.

In a subsequent tweet, the secretary explained the contractor “got pissed when terminated” so “it made off with data.”

As expected, Locsin made traveling folks nervous and a flurry of questions from netizens followed. Among them was whether the department can assure passport holders of protection after their data was stolen. The secretary’s disturbing reply: “I don’t know.”

It did not help that Locsin or the Department of Foreign Affairs would not offer more details that would help passport holders create a more solid picture of the situation. Like, how many are the affected applicants?

No cut-off date was given. Are we supposed to understand that all those who applied between 2006 (when the government began producing machine readable electronic passports or MREPs) until the present are all victims of stolen data?

And there was no announcement from the DFA about efforts to control the damage. Only more tweets from Locsin, hinting about how he intends to expose figures from the Arroyo and Aquino administrations who are responsible for the passport data mess are set to “launch a social media campaign against me.”

Another one goes: “I will autopsy the yellows who did the passport deal (while they are) alive…This is called evisceration.”

Cryptic messages hardly assuage doubts. Wouldn’t it have been better if the secretary just told us plainly what he knows?

Albert del Rosario, foreign secretary of the Aquino administration, dodged a potential politically-motivated word war with Locsin’s saying he is confident the secretary “will be successful” in efforts to address the situation.

His successor Perfecto Yasay, Jr., President Duterte’s first appointee to the DFA post, offered information that made things curiouser, so to speak.

He recalled that during the time of President Gloria Arroyo, the DFA and the Bangko Sentral ng Pilipinas entered into an agreement in August 2006 to produce electronically readable passports as required by the International Civil Aviation Organization.

The France-based Francois-Charles Oberthur Fiduciare (Oberthur) won the bidding. Nine years later, under then President Noynoy Aquino, the DFA awarded the production of a new e-passport system to APO Production Unit Inc., a government printer “without bidding on condition that no part of the contract can be subcontracted or assigned to a private printer,” Yasay said.

He added that APUI “engaged the services” of the privately-owned United Graphic Expression Corp. (UGEC) for the production of new e-passports “in violation of this condition.”

Yasay asked Locsin to focus on “certain (DFA) officials” out to distract the incumbent secretary from investigating the lack of public bidding.

But while Locsin threatened his supposed opponents, authorities from other government bodies did their best to provide a more objective picture.

Philippine National Police director general Oscar Albayalde expressed willingness to help the DFA find the culprits, agreeing with fears of a “national security threat” if the issue is left unattended. Except that the PNP cannot investigate motu proprio (“of his own motion”).  Malacañang, on the other hand, ordered the National Privacy Commission to start digging.

Albayalde told a reporter data loss is a possible threat (“puwede,” he said) to national security given the volume of information taken from the department.

“Not only the threat to national security but also the threat (to) our identities,” the PNP chief added, apparently referring to identity theft.

Presidential spokesperson Salvador Panelo also magnified the possible dangers of lost data and said the privacy commission tasked to investigate whether provisions of the 2012 Data Privacy Act have been violated.

Malacañang also described the situation as a “serious and grave matter.”

The political opposition has joined in with Sen. Risa Hontiveros calling for a Senate investigation.

Note at this point that the Philippines’ government websites have exhibited their vulnerability to hackers since government offices began creating websites.

The most serious, so far, was the supposed hacking of the Commission on Election database around the time of the 2016 election, exposing the data of voters throughout the country.

Which means that despite Locsin’s tirade against his enemies, should we not be more concerned about the government’s apparent unpreparedness for such attacks?

The passport data issue may not involve multi-billion government funds (unless proven so) but one can imagine the possible magnitude of data theft that leaves all passport holders at the mercy of harmful parties.

Despite current assurances that no data breach was committed, this ongoing saga makes us realize how all who submitted their data to the DFA could be vulnerable to potential criminal activity like identity theft and credit card fraud.

The unsolid response we are getting from government entities at this point also makes us very doubtful about how the state that is supposed to protect us will eventually respond to a concrete threat in the future.

At this point, citizens can only do so much to protect themselves.  Most of it involves common sense like being jealous of one’s personal details.

This means not sharing one’s information with just about anyone, especially unknown phone callers offering this or that credit card promo and arming oneself with knowledge about data privacy and protection.

Also simple stuff like not giving away one’s PIN for an automated bank card or basing one’s PIN on obvious figures like birth or anniversary dates. Changing your security questions to those that require information unavailable on your official documents may also help. (But be sure not to use questions with subjective or easily-changing answers, like your favorite color or food.) After all, are hackers not entitled to the most difficult challenges in their attempts to decipher what is ours?

Being smart about our private stuff is probably the best protection we have now, especially with a government that has yet to prove it is intelligent, alert, and responsive enough to do the job.

Because in the meantime, in the absence of solid proof that our passport details remain safe, there is a trove of potentially profitable data that might go into the wrong hands anytime now.


Header image as seen in Inquirer.net.

Get more stories like this by subscribing to our weekly newsletter here.

Read more:

Wanna learn what Facebook knows about you? Download your data

Safeguard your privacy against viral Facebook quizzes

China’s making a citizen-ranking system and it’s scary

Read more by Cathy Cañares Yamsuan:

How a sexual harassment case has split NEDA

Taxpayers deserve more than failed infrastructure projects

All the President’s men…are recyclable?

TAGS: data breach data privacy department of foreign affairs DFA DFA data breach passport teddy locsin