Ph: Privacy Commission summons operators of website that exposed car owners’ personal data
There’s an update to a data leak situation previously noted on this site. It’s always interesting to me to see how other countries handle privacy violations or data leaks. It looks like the NPC has the authority — and uses it — to order ISPs to block access to problematic web sites that violate privacy.
From the web site of the National Privacy Commission of the Philippines.
January 11 – The National Privacy Commission (NPC) is extending the cease-and-desist order (CDO) on lisensya.info following the failure of its owners and operators to counter privacy violation allegations the Commission received late last year that the website had breached personal information of Land Transportation Office (LTO)-registered motorists.
Google Safe Browsing recently detected phishing activities on lisensya.info.
The CDO was first served on Nov. 12 against respondents Jose Minao and Billy James Jimena, the website’s owners and operators, who were given until Nov. 22, 2020 to file a comment on the allegations and to present their defense, as provided by Section 12 of NPC Circular No. 20-02 or the “Rules on the Issuance of Cease and Desist Order.”
Lisensya.info provided a “Motor Vehicle Authenticator,” which, through the mere input of the motor vehicle file number by anyone, would show sensitive information, such as the make, plate number, engine number, chassis number, registration expiry date and name of the owner.
Netizens claimed the data the site provided were accurate, raising suspicions of a leak in LTO’s database as these were the types of information the LTO was collecting from motorists for registration. A total of 12.725 million vehicles were registered with the LTO in 2019.
Based on results of NPC’s initial investigation, lisensya.info had neither a privacy notice nor any contact details of its owner.
Lisensya.info associated itself with the LTO, but the agency assailed it for using the LTO logo on its website to establish a false connection with the transportation office.
“Ang lisensya.info website ay HINDI pinapatakbo o konektado sa ahensya ng LTO,” the transportation agency’s post on its verified Facebook page read. “Para sa kaligtasan ng lahat, huwag po tayong magbigay ng SENSITIBONG IMPORMASYON sa UNVERIFIED links o accounts.”
[Google translation of above: “The lisensya.info website is NOT operated or connected to the LTO agency,” the transportation agency’s post on its verified Facebook page read. “For the safety of all, please do not provide SENSITIVE INFORMATION on UNVERIFIED links or accounts.”]
Since the CDO was first served to lisensya.info, the website is no longer easily accessible to the public.
- The NTC issued a memorandum dated Nov. 16, 2020 directing Internet Service Providers (ISPs) to block access to lisensya.info. The memorandum was sent through electronic mail to various ISPs on Nov. 20 and 23, 2020. The Commission directed the ISPs to submit a report on their actions within five days from receipt of the memorandum.In a letter addressed to the NPC dated Dec. 21, 2020, the National Telecommunications Commission said that several ISPs, including PLDT, Smart Communications, Dito Telecommunity, InfiniVAN, Pipol Broadband and Telecommunications Corp., Philippine Telegraph & Telephone Corp., Apo Associated Radio Electronics & Communications Co., and Kabayan Cable TV Systems, had reported that lisensya.info “has already been blocked and will no longer be accessed by their subscribers.”
- As of Nov. 24, 2020, lisensya.info had already been flagged by Google and Firefox. Upon accessing the site through Google Chrome, users can see a security warning saying that Google Safe Browsing recently detected phishing activities on lisensya.info. Users, who choose to proceed accessing the website despite the security warning, will be directed to a YouTube video. The same happens when users use browsers without a security warning. Some users, upon accessing the website, are directed to a statement saying “lisensya.info’s server IP address could not be found.”
The CDO on lisensya.info and the Order extending the same are available on the NPC website, privacy.gov.ph.
As of this morning, the warning is still up if you try to access lisensya.info via Chrome: