300k residents’ data from Makatizen portal left exposed; LGU assures no data breach
MANILA, Philippines — Due to the website’s vulnerability, over 300,00 residents’ data in the Makati City government COVID-19 portal has been compromised, according to a cybersecurity firm.
VPNMentor Research Lab reported the said breach of data on Wednesday, July 6., saying Proud Makatizen has not protected its S3 bucket.
Among the data leaked are documents like passports, medical prescriptions, senior citizen IDs, financial documents, and health licenses. There are over 620,000 files from individual users exposed according to the report.
"Proud Makatizen failed to implement appropriate security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser and technical skills,” vpnMentor explained.
Makatizen’s S3 bucket is from Amazon Web Services (AWS), which is cloud storage software. It is used to store data submitted by the users of the said website.
The vulnerability was first reported by the firm on March 31 to CERT-PH (Computer Emergency Response Team – Philippines) – a division under the Cybersecurity Bureau of the Department of Information and Communications Technology.
"Once we confirmed that Proud Makatizen was responsible for the data breach, we contacted Philippines CERT to notify them and offer our assistance. They replied quickly and asked us to provide more information. We disclosed the URL leading to the unsecured server and provided further detail about what it contained," the firm said.
It was sent by CERT-PH to the Makati city government on April 4. The S3 bucket was secured three days later.
"Received regular communication with Philippines CERT until they were able to complete their report and send it to the City of Makati. The AWS S3 bucket was secured shortly after," they also said.
In a report, the National Privacy Commission (NPC) clarified that vulnerabilities in the system of a website do not equate to data breaches.
Both VPNMentor and the NPC also noted that the failure to secure an S3 bucket is a common global problem.
In a statement, Makati City spokesperson Michael Camina assured the public that there was no data breach within the city’s COVID 19 relief portal.
“There was no data breach with the data servers of the Makati City government. The subject system alleged to have been breached was a former development server containing fictitious test data. It is no longer online,” Camiña said in a statement.
“No actual personal data has been compromised,” Camiña added.
Impact of the breach
VPNMentor warned the public of the potential damages that the vulnerabilities of such websites could cause to organizations and individuals.
Some of the damages include possible fraud, identity theft, and phishing.
According to them, the cause of having weak security on their software is the haste set up of online COVID 19 relief services to provide relief without the needed security precautions.
"Failures like this erode public trust in the government and their services, which directly results in fewer people wanting to access these valuable services," they added.
NPC, CERT-PH, and the Makati City government has yet to respond to Philstar.com's request for comment on the alleged breach. —Intern, Christian Patrick Laqui
- Latest