A misconfiguration on the Amazon Webservices S3 Bucket of the website ‘Proud Makatizen’ (https://proudmakatizen.com/) has exposed over 620,000 files totaling 39.7 GB, affecting over 300,000 Makati residents.
A report from the VPN Mentor research team led by Noam Rotem discovered the data breach from the Proud Makatizen website, which was used as an online portal during the COVID-19 pandemic for Makati residents.
Through the portal, the residents had to upload sensitive documents to verify their records as individuals to sign up for vaccinations, financial support and more. These included passports, bank documents, and medical reports, among others which according to VPN Mentor, could potentially be used for phishing, privacy violation, and identity theft.
Data Breach Summary (from VPN Mentor’s report)
| Company/Org. | Makati city’s government, specifically the website ProudMakatizen.com |
| Headquarters | Makati, Philippines |
| Industry | Public Sector |
| Size of data in gigabytes | 39.7 GB |
| Suspected no. of files | Over 620,000 |
| No. of people exposed | Around 300,000 |
| Date range/timeline | May 2020 – April, 2022 |
| Geographical scope | Residents of Makati, Philippines |
| Types of data exposed | ID cards; personal medical and financial information |
| Potential impact | Phishing, privacy violation, and identity theft |
| Data storage format | AWS S3 bucket |
VPN Mentor’s team stated that Proud Makatizen was not able to implement sufficient security measures – so much so that the research team added that anyone who has technical skills would be able to access hundreds of thousands of data.
“In this case, Proud Makatizen was using an Amazon Web Services (AWS) S3 bucket to store data collected from the public through its various activities. S3 buckets are a popular enterprise cloud storage solution. However, it is up to the users to properly define the security settings to protect any data stored therein.
“Proud Makatizen failed to implement appropriate security measures on its S3 bucket, leaving the contents totally exposed and easily accessible to anyone with a web browser and technical skills,” it added as per a report emailed to The Filipino Times.
Immediate action
When the team discovered the breach, they got in touch with the Philippines’ CERT (Computer Emergency Response Team) to notify and offer their assistance. The two teams then worked together to secure the AWS S3 bucket.
“We disclosed the URL leading to the unsecured server and provided further detail about what it contained. We received regular communication with Philippines CERT until they were able to complete their report and send it to the City of Makati. The AWS S3 bucket was secured shortly after,” read the report.
However, the Philippines’ National Privacy Commission (NPC) clarified that “a system vulnerability does not automatically mean there is a personal data breach,” as per a report from Rappler.
The Filipino Times has reached out to the City Government of Makati regarding this matter.
