A failure of governance

"What really happened in the passport snafu?"


The tangled web of the passport data mess continues to unravel, showing that government has not learned its lessons from past mistakes.

Recently installed Foreign Affairs Secretary Teodoro Locsin Jr. claimed on Twitter last week that a “former contractor” had run off with passport applicant’s personal data. He blamed persons on the other side of the political fence, adding that he would “autopsy alive” the “Yellows who did the passport deal.”

Others with knowledge of the issue weighed in. Former foreign secretary Perfecto Yasay Jr. said former contractor Oberthur did not steal any data. Current passport printer APO Production Unit, Inc. (APUI) chairman Michael Dalumpines agreed, saying “Passport data are with us,” and “all data were all in those [Oberthur] equipment turned over to us by Bangko Sentral.”

Sundry politicians called for an investigation. Philippine National Police Director General Oscar Albayalde called the snafu a “national security threat,” and rightly so.

Among the data that passport applicants give DFA are name and address, date and place of birth, marriage certificates, birth certificates, and signature. The personal details on these documents can be used to answer security questions on bank apps, commit credit card or other fraud, harass, bully, or doxx someone, and whatever else evildoers can think up.

This is not the first time that government has lost data through its own fault. Remember ‘Comeleak’?

On March 27, 2016, two months before the national elections, Anonymous Philippines hacked the Comelec website to post a message about the security of the vote-counting machines. The next day, LulzSec Pilipinas leaked online the Comelec database of over 70 million registered voter records.

“It is considered the biggest leak of personal data in Philippine history, and among the biggest breaches of a government-held database in the world,” wrote Rappler’s Michael Bueza.

This infernal incident was followed on Jan. 11, 2017, by another potential data breach when burglars made off with the computer of the Wao, Lanao del Sur election officer.  The machine contained a copy of the national list of registered voters (NLRV) of about 55 million voters.

The file was said to have been encrypted, but almost any encryption can be cracked by a talented enough hacker.

The National Privacy Commission, which investigated both incidents, found out that all Comelec field offices keep their own copies of the NLRV, which at the time held the personal data of about 55 million voters.

At the time, NPC Chairman Raymund Liboro said, “This breach illustrates that there are many ways to lose personal data. That is why data protection is not only an IT security issue involving firewalls. It’s a governance matter that covers organizational and physical measures to protect data.”

The agency will investigate this latest data breach to find out whether the Data Privacy Act of 2012 was violated in relation to the personal information of passport holders and applicants.

As Liboro said, these incidents are issues of governance. Good governance means using best practices to administer a service or program properly and efficiently with due care given to security and safety. It means allocating resources to create and implement the “organizational and physical ways” he mentioned to safeguard data.

What many don’t realize is that data is an asset, a resource that must be protected, particularly when it belongs to other people. Citizens use a state’s services trusting that their information will be kept safe. Our government, regardless of who is in power, has shown that so far they cannot be trusted with our personal data.

And even if we haven’t heard that the leaked information was used, it is still out on the internet somewhere, with the potential for its misuse a dangling sword of Damocles.

We are left with many questions. What really happened with the passport contractor deal? Will Locsin be the one to straighten out this and other messes at the DFA? Will other agencies that collect personal data—SSS, GSIS, PhilHealth, BIR, to name a few—now double-check and strengthen their own information technology security measures?

Will our government ever learn?

Dr. Ortuoste is a writer and researcher. FB and Twitter: @DrJennyO

Topics: Jenny Ortuoste , passport data , Foreign Affairs Secretary Teodoro Locsin Jr. , APO Production Unit , Inc.
COMMENT DISCLAIMER: Reader comments posted on this Web site are not in any way endorsed by Manila Standard. Comments are views by readers who exercise their right to free expression and they do not necessarily represent or reflect the position or viewpoint of While reserving this publication’s right to delete comments that are deemed offensive, indecent or inconsistent with Manila Standard editorial standards, Manila Standard may not be held liable for any false information posted by readers in this comments section.
AdvertisementSpeaker GMA