Latest NewsNewsTFT News

‘Proud Makatizen’ leaks: Over 39.7 GB of Filipinos’ data including passports, bank accounts exposed

A misconfiguration on the Amazon Webservices S3 Bucket of the website ‘Proud Makatizen’ (https://proudmakatizen.com/) has exposed over 620,000 files totaling 39.7 GB, affecting over 300,000 Makati residents.

A report from the VPN Mentor research team led by Noam Rotem discovered the data breach from the Proud Makatizen website, which was used as an online portal during the COVID-19 pandemic for Makati residents.

Through the portal, the residents had to upload sensitive documents to verify their records as individuals to sign up for vaccinations, financial support and more. These included passports, bank documents, and medical reports, among others which according to VPN Mentor, could potentially be used for phishing, privacy violation, and identity theft.

Data Breach Summary (from VPN Mentor’s report)

Company/Org. Makati city’s government, specifically the website ProudMakatizen.com
Headquarters Makati, Philippines
Industry Public Sector
Size of data in gigabytes 39.7 GB
Suspected no. of files Over 620,000
No. of people exposed Around 300,000
Date range/timeline May 2020 – April, 2022
Geographical scope Residents of Makati, Philippines
Types of data exposed ID cards; personal medical and financial information
Potential impact Phishing, privacy violation, and identity theft
Data storage format AWS S3 bucket

VPN Mentor’s team stated that Proud Makatizen was not able to implement sufficient security measures – so much so that the research team added that anyone who has technical skills would be able to access hundreds of thousands of data.

“In this case, Proud Makatizen was using an Amazon Web Services (AWS) S3 bucket to store data collected from the public through its various activities. S3 buckets are a popular enterprise cloud storage solution. However, it is up to the users to properly define the security settings to protect any data stored therein.

“Proud Makatizen failed to implement appropriate security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser and technical skills,” it added as per a report emailed to The Filipino Times.

Immediate action

When the team discovered the breach, they got in touch with the Philippines’ CERT (Computer Emergency Response Team) to notify and offer their assistance. The two teams then worked together to secure the AWS S3 bucket.

“We disclosed the URL leading to the unsecured server and provided further detail about what it contained. We received regular communication with Philippines CERT until they were able to complete their report and send it to the City of Makati. The AWS S3 bucket was secured shortly after,” read the report.

However, the Philippines’ National Privacy Commission (NPC) clarified that “a system vulnerability does not automatically mean there is a personal data breach,” as per a report from Rappler.

The Filipino Times has reached out to the City Government of Makati regarding this matter.

Neil Bie

Neil Bie was the Assistant Editor for The Filipino Times, responsible for gathering news that will resonate among OFW readers in the UAE, Philippines, and around 200 countries, where the platform reaches both Filipinos and worldwide audiences. ||| Get in touch with Neil at: Facebook: Neil Bie ||| or by sending a message to the Facebook page of The Filipino Times at: https://www.facebook.com/FilipinoTimes/

Related Articles

Back to top button