Here's What We Know So Far About the DFA Data Breach
by Maria Romero, January 18, 2019 8:25am
Art by Dani Elevazo
The Department of Foreign Affairs (DFA) is facing backlash after acting assistant Elmer Cato replied to an inquiry about passports holders' need to resubmit their birth certificates upon renewal.
DFA Secretary Teddy Locsin Jr. revealed through his personal Twitter account that the agency’s former data security contractor took all their security data: passport holder’s name, age, address, photograph, signature, and other identifying information.
Because previous contractor got pissed when terminated it made off with data. We did nothing about it or couldn't because we were in the wrong. It won't happen again. Passports pose national security issues and cannot be kept back by private entities. Data belongs to the state. https://t.co/8vsN96jqij— Teddy Locsin Jr. (@teddyboylocsin) January 8, 2019
Locsin’s tweet had received backlash from netizens tagging him as incompetent for taking into Twitter a serious national matter. With this supposed data breach, concerned netizens have asked the foreign affairs bureau to take all the necessary actions to resolve the problem.
Meanwhile, in his statement on ANC on Monday, January 14, former DFA Secretary Perfecto Yasay Jr. said that Locsin could have been “misinformed” about the data breach issue as there was no data stolen. DFA’s previous contractor only “withdrew” their contract, they only made the data inaccessible since the agency had already awarded its passport production to a new company.
Yasay explained that in 2006, the DFA made a memorandum of agreement (MOA) with Bangko Sentral ng Pilipinas (BSP) for the procurement of machine-readable electronic passports (MREP) to modernize our system. BSP then awarded the main project to Francois-Charles Oberthur Fiduciare (FCOF), a digital security company from France.
In 2015, the DFA awarded the new passport production to government-controlled data security printer, APO Production Unit Inc. (APUI) with a condition that no part of the contract can be subcontracted or passed to another private printer. However, APUI violated it by subcontracting Filipino-owned private company, United Graphic Expression Corporation (UGEC), in the management of passport production.
In his speech, Yasay reiterated that the DFA Officers may only want to use the alleged data breach to deflect the bidding violation.
Essentially, two companies generate our e-passports; therefore, those two also may have access to our personal data. And that’s another reason this issue is way more serious than the DFA had disclosed.
Data is not run-away-able but made inaccessible. Access denied. But APO assured me they were able to access but not much use and parts corrupted. APO agrees with me that old passports are best evidence of identity and join me in despising those who don't agree with me. https://t.co/ln6blIwbIB— Teddy Locsin Jr. (@teddyboylocsin) January 15, 2019
But in another tweet by Locsin on Tuesday, January 15, he said the blunder is not exactly a data breach as the data are only inaccessible to them, not stolen. Many other high-ranking officials learn from this failure not to take unconfirmed serious matters to social media as it will only cause panic and unnecessary conclusion.
What can they possibly do with all the information?
In 2016, Philippines took global headlines by storm when the Commission on Elections (COMELEC) website was breached affecting around 55 million registered Filipino voters. Last April 2018, Cambridge Analytica, a British political consulting firm, breached on millions of Facebook users including 755,973 Filipino users. The scheme was also used in the Philippine elections.
According to a report by the South China Morning Post, the company helped then Davao Mayor Rodrigo Duterte by tailoring texts, emails, and social posts affecting voter’s decisions. And now that another breach may have taken place, concerned citizens are asking: What can they possibly do with all the information?
If a breach includes personal data, it is most likely to cause other serious harm such as:
- Stolen checks, ATM and Credit Cards
- Fraudulent Change of Address
- Acquiring of Social Security Number, Passport, Phone Service, Driver’s License Number misuse
- False Civil and Criminal Judgements
In this technology-dependent world, personal information is also used to tailor social media posts for you that may affect your decisions in the upcoming elections. And that’s just the tip of the iceberg.
With this current big government blunder, how can we trust them to push for National ID system if they only resort to pointing fingers when something this big happens? In this technological era where data has become more important, all roads (and tweets) must lead to the DFA and other related companies taking account of this data mess.
Know Your Right to Data Privacy
Amid DFA Data Breach, the Commission on Human Rights reiterates the importance of our right to privacy in preserving our dignity as stated in Data Privacy Act of 2012, the Universal Declaration of Human Rights, and the 1987 Philippine Constitution.
According to privacy law, organizations who hold a person’s personal data should observe and respect their privacy rights.
ATM skimming, heedless disclosure on the Internet, phishing, and malware are data breaches people usually brush aside; thinking that it’s not as massive as the Cambridge Analytica blunder. So know your rights so that when this happens to you, you will know what necessary actions to take.
Meanwhile, Senators Risa Honteveros and Antonio Trillaness III are seeking senatorial inquiry on the issue.
Series of forthcoming investigations are about to happen in the coming days. Because only a Senate probe will assure the public that there was no breach or loss of data. ‘Til then, know your rights!