In the onslaught of typhoon Maring, I decided to brave the rising waters in Calamba at 5 in the morning to go to the MCLE seminar series for my lecture to the PAG-IBIG HDMF lawyers at Petron Mega Plaza last September 12, 2017, so as not to be late. On the way, I was informed by a UP IAJ person that they will have to confirm with PAG-IBIG if the MCLE lectures would proceed since government agencies’ operations had been suspended by Malacañan. I could not get out of the bus and turn back to my home which would be more than 40 kilometers away in the gusty rain. We were stranded for almost four hours at the South Expressway particularly in the portion where the Alaska plant is located, where the waters have risen alarmingly high. Fortunately, PAG-IBIG decided to go on with the seminar and I kept affirming for the waters to recede so that the traffic would ease up. The Supreme Being heard my prayers and we arrived safely at the venue.
For my lecture on “Operationalizing Data Privacy and Security Requirements under the Data Privacy Law”, I decided to focus on PAG-IBIG HDMF’s online sites, programs and social media accounts. Since their Chief Information Security Officer (who is an IT person) is not present in this lecture for lawyers, I could not do an informal audit of the PAG-IBIG’s IT policies and practices that have legal repercussions. Instead, I apprised the lawyers present of several technological and legal measures their agency must undertake to secure the personal information of their clients that reside in their website or online repositories.
One of the highlights of my lecture is my presentation of the state of insecurity of several government and GOCCs’ websites. As for the PAG-IBIG, I showed two websites of concern. The first is the general website of PAG-IBIG HDMF which was deemed by three browsers: Internet Explorer, Mozilla Firefox and Google Chrome to be insecure. Using the techniques I employed in my GSIS exposés, I present photographic evidence I took here:
The Internet Explorer browser’s “Properties” reveals that the PAG-IBIG home site is not encrypted.
The PAG-IBIG HDMF website is not encrypted, according to Internet Explorer, photo taken by Dr. Atty. Ramiscal
Clicking on the “Certificates” icon shows that this site does not have a digital security certificate.
The PAG-IBIG HDMF website has no digital security certificate, says Internet Explorer, photo taken by Dr. Atty. Ramiscal
As for Google Chrome, the browser reveals that this website does not have a secure connection.
The PAG-IBIG general website is not secure, says Google Chrome, photo taken by Dr. Atty. Ramiscal
I tried to connect to the online services in the PAG-IBIG website and Google Chrome prevented the computer I am using from accessing it with the message that “(a)ttackers might be trying to steal” my information, since the site has no private connection:
Google Chrome’s assessment that “attackers might be trying to steal your information” when you log into the insecure online services available at the PAG-IBIG site, Photo by Dr. Atty. Ramiscal
The Mozilla Firefox browser reveals that the PAG-IBIG site has no secure connection.
The PAG-IBIG home site has no secure connection as revealed by Mozilla Firefox, photo taken by Dr. Atty. Ramiscal
Furthermore, the Mozilla Firefox browser reports that the PAGIBIG HDMF site is NOT ENCRYPTED.
The PAG-IBIG home site is not encrypted according to Mozilla Firefox, photo taken by Dr. Atty. Ramiscal
The significance of these warnings is that the PAGIBIG site, as it is, at the time I lectured (September 12, 2017) and at the time I published this article (September 18, 2017) is not secure from hackers. Not only can the personal information of those who log in, on its website can potentially be hacked, but that the information contained in its website can be defaced or even changed by hackers resulting in more than ordinary mischief.
But the most disturbing thing I discovered is that the PAG-IBIG Fund chat site which is supposed to be supported by Telephilippines is NOT SECURE! This chat site records the conversations between PAG-IBIG members and whoever is at the PAG-IBIG end of this site.
The Internet Explorer browser’s “Properties” shows that this site is not encrypted.
The PAG-IBIG Fund chat site is not encrypted, says Internet Explorer, photo taken by Dr. Atty. Ramiscal
The Google Chrome browser shows that this site does not have a secure connection.
Google Chrome reports that the PAG-IBIG Fund chat site is not secure, photo taken by Dr. Atty. Ramiscal
The Mozilla Firefox browser reveals that the connection to this site is not secure.
Mozilla Firefox’s finding that the PAG-IBIG chat site connection is not secure, photo by Dr. Atty. Ramiscal
The Mozilla Firefox also reveals that the whole chat site is NOT ENCRYPTED!
Mozilla Firefox revealing that the PAG-IBIG chat site is not encrypted, photo by Dr. Atty. Ramiscal
The import of these is that any PAG-IBIG member who logs in their name, email address and telephone number on the chat site could have these pieces of personal information stolen from them and utilized for notorious or nefarious purposes by hackers.
What is also of concern here is that when I asked the over 50 lawyers present if they knew about this, or even the existence of the PAGIBIG Fund chat site, all of them apparently had no idea that this chat site existed. This is the tragedy of PAG-IBIG. It is even bigger than the GSIS because all Philippine employees in the private and public sector are supposed to be part of this Fund. Since it has grown so huge, keeping tabs of all the technological measures and programs they maintain, and anticipating, analyzing and addressing the legal issues they pose has become a daunting challenge.
It was clear that no lawyer present in my MCLE lecture even reviewed the Service Level Agreement (SLA) that PAG-IBIG had with Telephilippines. I did some perfunctory investigation, and it appears that Telephilippines is connected with TelePerformance which has a very active presence in the Philippines for many years.
Teleperformance has two policies that are crucial here.
The first is its “Legal Statement” which provides in part:
We implement technical and organizational security measures to protect the data we are managing against accidental or deliberate manipulation, against data loss or destruction, and against access to these data by unauthorized persons. Our security measures are constantly updated as technology advances.
The second is its “Privacy Policy” which states:
Information Security. Safeguards must be placed to protect Personal Data which safeguards may include physical and environment security such as facilities, workstation and integrity access control; computer security such as security devices and encryption; employee security awareness such as new hire and annual training. Every Teleperformance Company must implement a risk assessment and must be accountable for the organizational, policies and procedures and documentation requirements.
It is difficult to draw conclusions at this stage because no lawyer and no one present during my lecture could tell me anything about the SLA between these two. But as the support of the PAG-IBIG Fund on this chat site, at the very least, Telephilippines/Teleperformance should have warned or apprised the PAG-IBIG HDMF Fund administrators of the necessity of securing and encrypting this chat site, as their policies clearly made them aware of the dangers of having e-data breached!
To their credit, the PAG-IBIG HDMF lawyers acknowledged my findings and took my comments graciously. They had focused so much on the financial risks of the PAG-IBIG Fund, it is only now that they are grappling with the IT risks.
When I opened the PAG-IBIG HDMF website today on different computers, there was an announcement that their online services are undergoing “maintenance”. This is probably a sign that some of the lawyers took my findings seriously and reported these to the pertinent officials who took down the online services. As I told them during my lecture, I only have the best of intention in sharing my findings with them because I too, am a PAG-IBIG member, and I have a great interest in seeing that the PAG-IBIG HDMF protect the personal information of all their members.
I trust that my lecture and my findings will actually result in PAG-IBIG HDMF Officials, BOT members and management reassessing and remedying their website and other online services they offer to their members in terms of online security and data privacy, taking into account the decision of the NPC relative to the COMELEC e-data breach, and how that is being used in the current impeachment measures against the current COMELEC Chair. PAG-IBIG officials and management should learn this lesson as fast as they can, even if its already four years too late, or else their heads might be on the next chopping blocks carved by NPC.
Philippine Law Bytes: TheCyberLawyer Issues by Dr. Attorney Noel Guivani Ramiscal 