Many Filipinos were alarmed when they learned that a former contractor of the Department of Foreign Affairs (DFA) has “ran away” with the data of passport applicants. Foreign Affairs Secretary Teodoro Locsin, Jr. said that the passport maker was “pissed off” after its contract with the DFA was terminated.
“We are rebuilding our files from scratch because previous outsourced passport maker took all the data when contract (was) terminated,” Locsin said on Twitter.
“Because previous contractor got pissed when terminated it made off with data. We did nothing about it or couldn’t because we were in the wrong. It won’t happen again. Passports pose national security issues and cannot be kept back by private entities. Data belongs to the state,” Locsin added in another tweet.
Due to the private contractor’s actions, applicants who are renewing brown, green, or maroon machine-readable passports are now required to submit their PSA-issued birth certificates. Holders of e-passports issued after 2009 are not required to submit birth certificates during renewal.
DFA Assistant Secretary Albert Cato said that the department needs to capture and store the documents since it no longer has the physical copies. Before the introduction of the e-passport, the DFA required applicants to submit physical copies of birth certificates and marriage certificates.
Secretary Locsin, however, questioned the necessity of submitting birth certificates when renewing passports. “Isn’t the expired passport sufficient ID? How many times do you have to prove you are what the State declared you are in the expired passports?” Locsin asked.
In an interview with the ANC’s Hot Copy, former Foreign Affairs Secretary Perfecto Yasay, Jr. said that he doesn’t believe that the contractor stole passport data, and that Secretary Locsin may be misinformed about the supposed data breach.
Locsin later tweeted that there is “no leak so far” of the passport data that the contractor allegedly ran off with, but added that the data “is possibly hopelessly corrupted and at any rate inaccessible now or we are being lied to as usual.”
What Happened Before
The mess started in 2015 when the DFA hired APO Production Unit Incorporated to develop an e-passport system, on the condition that the company doesn’t get a private subcontractor. The company, however, hired a subcontractor, United Graphic Expression Corporation (UGEC), to produce the new passports.
Yasay said that the DFA hired APO despite the department’s existing contract with French company Francois-Charles Oberthur Fiduciare for the production of passports compliant with the International Civil Aviation Organization.
Locsin theorized that there is no data breach but that the French firm (Oberthur) deposited the passport data in a warehouse in Lipa “out of irritation” and refused to give the access codes, so the data could now be corrupted or inaccessible although it is already under APO.
Locsin vowed to identify the people behind the passport mess, claiming that the culprits are planning to launch a social media campaign against him.
The National Privacy Commission announced that it will conduct an investigation of the alleged passport data breach. “Any form of non-availability of personal data, infringement of the rights of data subjects, and harms from processing that include inconveniencing the public, must be adequately explained to the satisfaction of the law,” the NPC said. “We will summon the DFA and concerned agencies including the alleged contractor to determine the facts surrounding the case.”
The Commission on Human Rights, on the other hand, urged the government to identify and prosecute those accountable for the alleged data breach, saying that the passport mess “poses grave national security issues, especially since the said data contain sensitive, personal information of Filipino passport holders.”
Should Passport Holders Be Worried?
An IT expert warned that the reported passport data breach could lead to cases of identity theft. Jerry Liao said that the incident should be a cause for concern. He said that data could possibly be sold to the highest bidder or used for fraud and identity theft.
He said that the DFA committed a mistake when it provided access to the actual information of passport applicants to the private contractor. He explained that government agencies normally give dummy data to contractors.
Atty. Cecilia Soria, a data privacy lawyer, said that the impact of the incident depends on how much data that the contractor took.
“Think about it: They have your complete name, complete birth date, complete address, signature pa yata. Also passport number, assuming that passport has not expired yet,” Soria said, adding that the problem will worsen if the former contractor has the copies of birth certificates, since the documents contain sensitive information such as the names of the applicants’ parents.
So should passport holders and applicants have anything to be worried about?
Not according to Senate President Vicente Sotto III. Sotto said that while the incident is “annoying,” there’s nothing to be alarmed about. He expressed confidence that the DFA is on top of the situation, and also urged the contractor to return the data it allegedly ran off with.
Nevertheless, the supposed data breach is no laughing matter, and should be dealt with appropriately by the National Privacy Commission, the National Bureau of Investigation, the Commission on Human Rights, and other relevant authorities.
Even if the former passport maker has no intention to sell the data or use it for nefarious activities, there’s still a significant risk of a data leak. Numerous hackers and cybercriminals are waiting to pounce on any opportunity to steal data from unsecured and vulnerable sources. We can only hope that the former contractor and the DFA are taking the necessary steps to secure the data and prevent it from falling in the hands of people with bad intentions.
Based on the information provided by the DFA, it seems that most passport holders are not affected by the supposed data breach. The ones who are affected by the incident are holders of older Machine Readable Ready (MRRP) and Machine Readable Passports (MRP) issued before the introduction of electronic passports or e-passports in 2009.
DFA Assistant Secretary Elmer Cato explained that only e-passports are currently in circulation, and that the older MRRPs and MRPs have already expired by now. The only people who are still in possession of MRRPs and MRPs are those who have used their passports in the past but have never traveled since their passports expired.
Passport holders who have not traveled since 2014 (the year when passports issued in 2009 expired) are also affected by the incident, and are thus required to submit birth certificates when they renew their passports.
So if you already have an e-passport issued after 2009, then you have nothing to worry about.
