Data of thousands of IDs become searchable on Google – reports
The Philippines’ Foreign Ministry has disabled its passport application tracking portal, after reports that thousands of applicants’ details had somehow become visible in Google searches.
In a statement on its website, the Department of Foreign Affairs’ (DFA) said on Wednesday that it had taken down the online passport tracker and all its sources to “avoid further data broadcasting.”
The portal, which was launched in September and was still off-air as of Friday, allows applicants to view the status of their passport application. The DFA said its IT department was investigating how the incident had occurred, adding that an internal audit would be conducted to prevent repeat incidents.
According to local media outlets, a “misconfiguration issue” was behind the leak of thousands of users’ personally identifiable information. The Manila Bulletin paper reported on Tuesday that it had been contacted by an individual who had stumbled across the data while conducting a Google search.
After clicking a search result, the person was reportedly redirected to the portal’s blank tracking system form. He told the paper the privacy issue appeared to have stemmed from the developers’ “hard-coding” of sensitive information, which allowed anyone to access the data using a regular web browser.
The individual also criticized the developers for having apparently used Microsoft Excel spreadsheets as a database, which Manila Bulletin described as not being “sound programming practice.” Another issue raised by the paper was the inclusion of a publicly available authentication key that allowed anyone to access the data in the spreadsheets.
Besides alerting the DFA, the paper said it had notified the country’s National Privacy Commission about the possible large-scale data leak. The DFA statement stated that it was working with the watchdog to resolve the issue.
In May, media outlets reported that some 345,000 sensitive court documents from the Philippines’ Office of the Solicitor General had been freely available online for at least two months. The information reportedly “could have been accessed by anyone who knew where to look.”