Connect with us

Hi, what are you looking for?


‘Thoughtless’ flaw on DFA website leaves thousands vulnerable to phishing attacks — cybersecurity expert


By Patricia B. Mirasol

Thousands of passport applicants are vulnerable to phishing attacks due to data privacy issues discovered on Nov. 9 in the online passport tracker of the Department of Foreign Affairs (DFA).

“Identity theft may lead to social engineering attacks,” said Dax L. Labrador, founder of ROOTCON, the largest hacking conference in the Philippines. “To combat this, be vigilant for any suspicious call, SMS [text], and/or email as you are now a soft target of social engineering attacks.”

He added that saving a massive amount of personal information, including mobile numbers and full names, on a flat spreadsheet was “a very thoughtless approach” on the DFA’s part.

Flat files, which store a single record per line, are “less secure than their relational counterparts” according to cybersecurity experts.

Continued Mr. Labrador: “The best implementation would have been to record such data on a secure database server, giving access to queries only coming from legitimate sources.”

In a Nov. 10 press statement, the DFA announced that it had taken down the Online Passport Tracker and all its data sources to avoid further data broadcasting.

Its IT (information technology) unit, the agency said, is “currently investigating the circumstances surrounding this issue and is taking appropriate measures to secure the data that may have been exposed. An internal audit will also be conducted to prevent similar incidents from happening in the future.”

According to Mr. Labrador, organizations should take a proactive approach to stress-testing their online facilities instead of being reactive.

Proactive organizations hold preventive prelaunch risk exposure assessments, including a code review and VAPT (vulnerability assessment and penetration testing, which addresses cybersecurity vulnerabilities).

Reactive organizations, meanwhile, are ticking time bombs waiting to blow up.


The flaw in the DFA’s passport tracking system flaw was brought to the attention of BusinessWorld on Nov. 9 by a DevOps (or development and operations) specialist from a private firm who requested anonymity.

“Ingat muna [Take care]. I already reported this to the DFA,” said the DevOps specialist on Tuesday. “Meron mas malala dyan [There’s something worse]; they can see your mobile numbers too.”

The data, together with the full names of each passport applicant, were accessible through the said government agency’s online passport tracking system, which is still offline as of press time.

Using secure API (application programming interface) endpoints, according to the DevOps specialist, can help the DFA better manage its sensitive data. APIs are access points that allow applications to communicate with one another.

“Make use of session locking. Make it hard for people to brute force the system on queries,” he told BusinessWorld in a LinkedIn message. Brute force involves guessing different password combinations until the right one is hit.

This is not the first data privacy concern faced by the DFA.

In 2019, the National Privacy Commission (NPC) conducted an investigation on the agency’s assertion that a former contractor made off with passport data after its contract was terminated.

Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!



The National Government’s outstanding debt reached a record P13.75 trillion as of end-February. — REUTERS/THOMAS WHITE/ILLUSTRATION By Keisha B. Ta-asan, Reporter THE NATIONAL Government’s...


Laborers work at a construction site in Manila, Philippines, Nov. 17, 2016. — REUTERS/CZAR DANCEL STATE SPENDING on infrastructure rose by 13.4% in 2022,...


A view of Metro Manila. — PHILIPPINE STAR/WALTER BOLLOZOS BUSINESSES NOW have a more optimistic economic outlook this year, amid a return to pre-pandemic...


SEVERAL former government officials are opposing the plan to merge Landbank of the Philippines (LANDBANK) with the Development Bank of the Philippines (DBP), saying...


MONDE NISSIN CORP. suffered a net loss of P13.03 billion in 2022, a reversal of its P3.12-billion net income a year earlier, due to...


THE 68-MW “Garcia 2” Solar Project, located in the municipality of Currimao in Ilocos Norte. — VENAENERGY.COM MGEN RENEWABLE Energy, Inc. (MGreen) is keen...

You May Also Like


COVID-19 has had a significant impact on the mental health of Filipinos across different groups all over the archipelago. From frontline workers, parents balancing...


REUTERS By Luz Wendy T. Noble, Reporter The country’s foreign exchange buffers slightly increased as of end-October as the value of the central bank’s...


BW FILE PHOTO GROSS BORROWINGS by the National Government reached P2.6 trillion as of end-September as it continued to raise funds to respond to...


KARASOLAR.COM TENA, Ecuador — Ecuador’s rainforest Achuar people say their ancestors long dreamed of a “fire canoe” or “electric fish” that would let them...

Disclaimer: Respect, its managers, its employees, and assigns (collectively "The Company") do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

Copyright © 2022 Respect Investment. All Rights Reserved.