By Patricia B. Mirasol
(On Nov. 12, Foreign Affairs Assistant Secretary Eduardo R. Meñez said via text message: “Contrary to allegations, DFA does not utilize a program such as Microsoft Excel to store passport applicants’ data. The public is assured that their data is encrypted and stored in a highly-secure and complex database.”)
Thousands of passport applicants are vulnerable to phishing attacks due to data privacy issues discovered on Nov. 9 in the online passport tracker of the Department of Foreign Affairs (DFA).
“Identity theft may lead to social engineering attacks,” said Dax L. Labrador, founder of ROOTCON, the largest hacking conference in the Philippines. “To combat this, be vigilant for any suspicious call, SMS [text], and/or email as you are now a soft target of social engineering attacks.”
He added that saving a massive amount of personal information, including mobile numbers and full names, on a flat spreadsheet was “a very thoughtless approach” on the DFA’s part.
Flat files, which store a single record per line, are “less secure than their relational counterparts” according to cybersecurity experts.
Continued Mr. Labrador: “The best implementation would have been to record such data on a secure database server, giving access to queries only coming from legitimate sources.”
In a Nov. 10 press statement, the DFA announced that it had taken down the Online Passport Tracker and all its data sources to avoid further data broadcasting.
Its IT (information technology) unit, the agency said, is “currently investigating the circumstances surrounding this issue and is taking appropriate measures to secure the data that may have been exposed. An internal audit will also be conducted to prevent similar incidents from happening in the future.”
According to Mr. Labrador, organizations should take a proactive approach to stress-testing their online facilities instead of being reactive.
Proactive organizations hold preventive prelaunch risk exposure assessments, including a code review and VAPT (vulnerability assessment and penetration testing, which addresses cybersecurity vulnerabilities).
Reactive organizations, meanwhile, are ticking time bombs waiting to blow up.
The flaw in the DFA’s passport tracking system flaw was brought to the attention of BusinessWorld on Nov. 9 by a DevOps (or development and operations) specialist from a private firm who requested anonymity.
“Ingat muna [Take care]. I already reported this to the DFA,” said the DevOps specialist on Tuesday. “Meron mas malala dyan [There’s something worse]; they can see your mobile numbers too.”
The data, together with the full names of each passport applicant, were accessible through the said government agency’s online passport tracking system, which is still offline as of press time.
Using secure API (application programming interface) endpoints, according to the DevOps specialist, can help the DFA better manage its sensitive data. APIs are access points that allow applications to communicate with one another.
“Make use of session locking. Make it hard for people to brute force the system on queries,” he told BusinessWorld in a LinkedIn message. Brute force involves guessing different password combinations until the right one is hit.
This is not the first data privacy concern faced by the DFA.
In 2019, the National Privacy Commission (NPC) conducted an investigation on the agency’s assertion that a former contractor made off with passport data after its contract was terminated.