The DFA Data-Breach Mess, Explained

Well, in as much as this big blunder can be explained.

Secretary of Foreign Affairs Teddy Locsin, Jr. stirred up a mighty pot this weekend when with apparent nonchalant he posted this:

Because previous contractor got pissed when terminated it made off with data. We did nothing about it or couldn’t because we were in the wrong. It won’t happen again. Passports pose national security issues and cannot be kept back by private entities. Data belongs to the state. https://t.co/8vsN96jqij

— Teddy Locsin Jr. (@teddyboylocsin) January 8, 2019

Not surprisingly, everyone had questions. Who-whut-now?

Recently, former DFA Secretary Perfecto Yasay shed some light on the matter.

MOA DFA BSP MREP ICAO ETC

Yasay said that in 2006 the DFA entered into a memorandum of agreement with Bangko Sentral ng Pilipinas (BSP) for the procurement and production of machine readable electronic passports (MREP) in its effort to modernize our system and keep up with international standards.

The BSP awarded through a bidding process the main part of the project to Francois-Charles Oberthur Fiduciare (FCOF) of France through its Makati office. Sounds good and clean so far.

But then came the mess.

APO Vs FCOF

Yasay continued that in 2015, the DFA awarded the production of new passports to a government printing facility—APO Production Unit, Inc., without bidding on condition that no part of the contract can be subcontracted or assigned to a private printer. Essentially this means that APO cannot subcontract with any entity without proper bidding. With this, APO engaged United Graphic Expression Corporation (UGEC) for the production of the new E-passports, violating procedures and conflicting interest with the existing agreement with FCOF, who at this point is still producing E-passports on their own. Apparently, under our noses, there are two companies generating E-passports. Ergo, there are two private companies who hold our personal data.

UGEC is Defiant

Yasay said that on February 2017, the Presidential Legal Counsel determined that what UGEC has done (and continue to do) is illegal. The government then demanded “that all rights over all the personal data, source code, data center and other information relating to the performance of the E-passport printing services unlawfully subcontracted to UGEC be reconveyed to the DFA or be acknowledged to be exclusively owned and controlled by the DFA.”

“Upon information and belief, it appears that UGEC which continues the illegal production of the E-passports has not complied,” Yasay continued.

So, Data Breach or No?

Despite Locsin saying our data were stolen, Yasay believes this is not the case. In an interview with ANC, the former DFA Secretary thinks it could be just a case of UGEC not having the capacity to transfer data from the system designed by the French firm Obertha. Yasay added that it is impossible for Obertha to run away with these data.

In any case, this turned out to be quite the can of worms. You can bet that a Congressional and Senate hearing will be forthcoming. And the rest of us will find yet another reason to mutter “only in da Pilipins.”

What do you think of this whole mess? Tell us below!